Dropped Files | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Dropped Files | ZeroBOX

Name	8a9235655b1a499d_dllhost.exe Submit file
Filepath	C:\ProgramData\Dllhost\dllhost.exe
Size	62.0KB
Processes	2464 (BuildMiner.exe)
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4aa5e32bfe02ac555756dc9a3c9ce583`
SHA1	`50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f`
SHA256	`8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967`
CRC32	`8E7E3EE7`
ssdeep	`768:+vfLyCdU0puufOIK1Nekmd52a3bCnP2PmxeETwM:+3LE0pu59ikmdYebCnO+xeEsM`
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)
VirusTotal	Search for analysis

Name	e144da42dbd917ef_file_3.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_3.zip
Size	1.5MB
Processes	2228 (7z.exe) 2100 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`0072514eb26c2963cce32772b99065d6`
SHA1	`e6758c7d0b299597f667706d65bc9f7901dae449`
SHA256	`e144da42dbd917ef7abd9e6d828732cda483af9174df503030a255343ab9b5d1`
CRC32	`2D3F2F96`
ssdeep	`24576:ibI/7AAb+JQl3Vd02kOC/l5X4/KiROMdWbBkDC6SX39qbwK1ZNKdvLIJvQ27/M:iujCK3D0AC/l5mwbBkDWYb1ZN4UJ9zM`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	d3c3b3c9981bf3b8_BuildMiner.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\BuildMiner.exe
Size	21.0KB
Processes	2372 (7z.exe) 2100 (cmd.exe) 1188 (conhost.exe)
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ae2373d2b1599971005dbc9ce20f174e`
SHA1	`b2be1df36f32d9138981b4307272389231056036`
SHA256	`d3c3b3c9981bf3b8ef1aba973744f584bca348c2b6ca937ae9432cfd257a8a0a`
CRC32	`6FDE0AD3`
ssdeep	`384:TebjjHZQ3NMofJHFrybCN906pXtM5PFNwN9zmvc4sOE15/uf8WrynX:ibjjHe31BgbGqBFNwcc4sOUNP`
Yara	UPX_Zero - UPX packed file Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	64929489dc8a0d66_killduplicate.cmd Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\KillDuplicate.cmd
Size	222.0B
Processes	1188 (conhost.exe)
Type	ASCII text, with CRLF line terminators
MD5	`68cecdf24aa2fd011ece466f00ef8450`
SHA1	`2f859046187e0d5286d0566fac590b1836f6e1b7`
SHA256	`64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770`
CRC32	`F14E4A56`
ssdeep	`6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3`
Yara	None matched
VirusTotal	Search for analysis

Name	530d2250b6b3d842_file_2.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_2.zip
Size	9.6KB
Processes	2276 (7z.exe) 2100 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`f57ee21a258d5cf468e72833634700f9`
SHA1	`8a18294deb997667253fc0308c2e37239a6183db`
SHA256	`530d2250b6b3d8427ab1c8b4b05d5e9d20ca4db90c7d12e11e4895ae200803cd`
CRC32	`D2232104`
ssdeep	`192:zcHvHPK6rUL0dmR3e6QPYK7HjLtJJsDisX3bv77CDhDF6foDxoQJSgXvEN:YvvK46O3Y4d81X3rneh88GQJpXvEN`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	344f076bb1211cb0_7z.exe Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\7z.exe
Size	458.0KB
Processes	1188 (conhost.exe)
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`619f7135621b50fd1900ff24aade1524`
SHA1	`6c7ea8bbd435163ae3945cbef30ef6b9872a4591`
SHA256	`344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2`
CRC32	`085DB415`
ssdeep	`6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature
VirusTotal	Search for analysis

Name	34ad9bb80fe8bf28_7z.dll Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\7z.dll
Size	1.6MB
Processes	1188 (conhost.exe)
Type	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5	`72491c7b87a7c2dd350b727444f13bb4`
SHA1	`1e9338d56db7ded386878eab7bb44b8934ab1bc7`
SHA256	`34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891`
CRC32	`D5226149`
ssdeep	`24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsDLL - (no description) IsPE64 - (no description) PE_Header_Zero - PE File Signature Microsoft_Office_File_Zero - Microsoft Office File
VirusTotal	Search for analysis

Name	0510f1e57b0bc596_winlogson.exe Submit file
Filepath	C:\ProgramData\Dllhost\winlogson.exe
Size	7.9MB
Processes	2464 (BuildMiner.exe)
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`0b021b93052fed386a4d094edae61ca8`
SHA1	`5b6a58cbe268db9128ab683a29d2b9a856d3588b`
SHA256	`0510f1e57b0bc5967a8b658cea729948219d578b6c9b3a036ff33b4a6a46e495`
CRC32	`E906DE07`
ssdeep	`98304:1qEqoiuD0Sl7r5qCEShFa+XWgUyeC6SmIaAgXMQ3AyCQRy1/ANwCZJu3ThnklTmn:bkSl7L7ztTLblSwNgIxlstyZI5Hd`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	d527cae4b5b2bbd6_AntiAV.data Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\AntiAV.data
Size	2.1MB
Processes	2276 (7z.exe) 2100 (cmd.exe)
Type	ASCII text, with very long lines, with no line terminators
MD5	`d1001294e7f5d511283d4b5bd6903145`
SHA1	`f57a0b8bf7780a9a41f495a223bca8d8a729fa23`
SHA256	`d527cae4b5b2bbd6686502a24c4ff7aba1bb3c067c2b93d052a5602f07ca5407`
CRC32	`E2950DFD`
ssdeep	`24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xu:R9kqGu7okoZscCnf0/Zs9N`
Yara	Suspicious_Obfuscation_Script_2 - Suspicious obfuscation script (e.g. executable files)
VirusTotal	Search for analysis

Name	609d93f6b218049a_logs.uce Submit file
Filepath	C:\ProgramData\HostData\logs.uce
Size	345.0B
Processes	2464 (BuildMiner.exe)
Type	ASCII text, with CRLF line terminators
MD5	`1859fa20873d289505107b99f7c0d015`
SHA1	`ae8237b937e8d20af3fab42a78264b211cdc7795`
SHA256	`609d93f6b218049a46cd168f814a1c26795745429f9215c269e77b6f25e63146`
CRC32	`50890E3D`
ssdeep	`6:DiYgE/ov8TSQpg4nSEiYgE/ov8TSQpg4nSdI7wXP1tNa5J/m+CxNQxN/y2AKUvn:uwg8+qSFwg8+qSktugq2Apv`
Yara	None matched
VirusTotal	Search for analysis

Name	a9220271c0eb79e5_d93f411851d7c929.customDestinations-ms~RF1b94b5f.TMP Submit file
Filepath	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b94b5f.TMP
Size	7.8KB
Type	data
MD5	`b0c9ff441742f3847ea27da9dee7f2cd`
SHA1	`c42a1eb32ba953a0ce5d8635caabf71b5b281495`
SHA256	`a9220271c0eb79e5750e0d0e62058ecac560e09cdf9e82ef61aeeabada5d48a4`
CRC32	`0BBCAB1A`
ssdeep	`96:RutuCOGCPDXBqvsqvJCwo+utuCOGCPDXBqvsEHyqvJCworSP7Hwxf2lUVul:UtvXoxtvbHnorrxQ`
Yara	Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	0d2ca0b37b6345de_main.bat Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\main.bat
Size	477.0B
Processes	1188 (conhost.exe)
Type	Little-endian UTF-16 Unicode text, with no line terminators
MD5	`da1f8323b45ce050ee425ecb8bf1a098`
SHA1	`ac146bfebdd20e2ad0f2ef8847be04751b67f5d6`
SHA256	`0d2ca0b37b6345de456c7cdb32a755f7ddde2c244594485be8895991d373cba8`
CRC32	`868AD19A`
ssdeep	`12:QUp+CF16g64CTFMj2LIQLvSXW/PCVGrMLvmuCi1gH8crpPV:QUpNF16g632CkeSXW/PCVGYT6H8cD`
Yara	None matched
VirusTotal	Search for analysis

Name	55a5aa1208f3b69d_d93f411851d7c929.customdestinations-ms Submit file
Filepath	c:\users\test22\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations-ms
Size	7.8KB
Processes	2700 (powershell.exe)
Type	data
MD5	`7b163a350f7fc1b0ffcf8c67ff8c5bda`
SHA1	`00a723d1055605f7897fbe9b87eee3e4416b07b2`
SHA256	`55a5aa1208f3b69d07a00c0f4f1d9bc219373d5fabc578f8098850270f943107`
CRC32	`39D5BAB5`
ssdeep	`96:ItuCeGCPDXBqvsqvJCwo9tuCeGCPDXBqvsEHyqvJCworSP7Hwxf2lUVul:ItvXo9tvbHnorrxQ`
Yara	Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware
VirusTotal	Search for analysis

Name	11bd2c9f9e2397c9_winring0x64.sys Submit file
Filepath	C:\ProgramData\Dllhost\WinRing0x64.sys
Size	14.2KB
Processes	2464 (BuildMiner.exe)
Type	PE32+ executable (native) x86-64, for MS Windows
MD5	`0c0195c48b6b8582fa6f6373032118da`
SHA1	`d25340ae8e92a6d29f599fef426a2bc1b5217299`
SHA256	`11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5`
CRC32	`6B0323EB`
ssdeep	`192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature
VirusTotal	Search for analysis

Name	df050d69faa7a2fc_file_1.zip Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\extracted\file_1.zip
Size	9.4KB
Processes	2324 (7z.exe) 2100 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`ccd3e3bcfc2f30d1162b52c3cb396139`
SHA1	`e0165fc7ecbc6517e7b5a0ec1db164682e01880f`
SHA256	`df050d69faa7a2fc297d43652619c7deb27259111fe6e9569d0937669de90164`
CRC32	`93339410`
ssdeep	`192:XlIh84Iik9T80uybK3/uJdIMLRryWbqbDNnKqo8oplqLFb3XIY8xqJJV:2h83RRu9uJdryWbqbDNnEqptx`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis

Name	f2e610fe60a4ca9b_file.bin Submit file
Filepath	C:\Users\test22\AppData\Local\Temp\main\file.bin
Size	1.5MB
Processes	1188 (conhost.exe) 2100 (cmd.exe)
Type	Zip archive data, at least v2.0 to extract
MD5	`76088cac0d8943fba09db67a4b2a15d0`
SHA1	`b37f1d0430cbb230350674c090f17dbdf6402f65`
SHA256	`f2e610fe60a4ca9bdf8ab1c3938bb77336d61c483d96f2c000b9e0c4528debe2`
CRC32	`6C489B08`
ssdeep	`24576:qasSxU6ywGOwzm5ahqxYSpiswrJWxhDS+YfCd4ygh16FYKQAei+fV9l60vW:qahyC0QiDQxhDhCCd4F1KcfT4GW`
Yara	zip_file_format - ZIP file format
VirusTotal	Search for analysis