Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 18, 2023, 6:21 p.m.	July 18, 2023, 6:39 p.m.

Size	1.4MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`2f8a3dfa7e89ffc2fd4166dc2db5bbe7`
SHA256	`8df2fc7eab6cc0ca190d0ffe2e58956727a8cd614ba4e7f361904f4ec0416762`
CRC32	`C497F052`
ssdeep	`6144:hkdT8kRK5AnIEyfjRohRqINPhFWi5gXhm9+utCeU4:SdbmAnYtouEhRSi+KX`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Network_Downloader - File Downloader IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

Project15.exe "C:\Users\test22\AppData\Local\Temp\Project15.exe"
184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
162.55.60.2	Active	Moloch
116.62.11.90	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 116.62.11.90:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 116.62.11.90:80 -> 192.168.56.103:49162	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected
TCP 116.62.11.90:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 116.62.11.90:80 -> 192.168.56.103:49162	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 116.62.11.90:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 116.62.11.90:80 -> 192.168.56.103:49162	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://116.62.11.90/main.exe

Performs some HTTP requests (1 event)

request

GET http://116.62.11.90/main.exe

Foreign language identified in PE resource (13 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000685b8

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00068a20

size

0x000000a0

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00068ac0

size

0x000002c0

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\main.exe

Communicates with host for which no DNS query was performed (2 events)

host	162.55.60.2
host	116.62.11.90

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.Common.87D16A5C
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.68224320
FireEye	Generic.mg.2f8a3dfa7e89ffc2
McAfee	Artemis!2F8A3DFA7E89
Sangfor	Trojan.Win32.Save.a
Arcabit	Trojan.Generic.D4110540
Cyren	W64/ABRisk.NIOH-4450
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
BitDefender	Trojan.GenericKD.68224320
Emsisoft	Trojan.GenericKD.68224320 (B)
DrWeb	BackDoor.AsyncRAT.12
McAfee-GW-Edition	BehavesLike.Win64.Infected.tz
Antiy-AVL	Trojan/Win32.SGeneric
Gridinsoft	Trojan.Win64.AsyncRAT.bot
GData	Win32.Trojan-Downloader.Generic.YI5WVX
Google	Detected
Acronis	suspicious
MAX	malware (ai score=82)
Malwarebytes	Backdoor.AsyncRAT
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Suspicious PE
Fortinet	PossibleThreat.MU
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Project15.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All