Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 19, 2023, 9:34 a.m.	July 19, 2023, 9:36 a.m.

Size	360.6KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`842b0d0eb01716a9f526acd866d8bad3`
SHA256	`6f11c52f01e5696b1ac0faf6c19b0b439ba6f48f1f9851e34f0fa582b09dfa48`
CRC32	`441136D2`
ssdeep	`6144:mnDh1g60VJZNC1e+xdJCgwQ3MIKkQ0tuWeR1Jhcf/W:mnEZNC7d8mK3v`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
www.notebooksell.kr	A 183.111.169.84	183.111.169.84

IP Address	Status	Action
164.124.101.2	Active	Moloch
183.111.169.84	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 183.111.169.84:80	2016693	ET INFO SUSPICIOUS UA starting with Mozilla/8	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 183.111.169.84:80	2016693	ET INFO SUSPICIOUS UA starting with Mozilla/8	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 19, 2023, 9:35 a.m.		1	1	0

suspicious_features

POST method with no referer header

suspicious_request

POST http://www.notebooksell.kr/mall/m_schema.php

request

POST http://www.notebooksell.kr/mall/m_schema.php

request

POST http://www.notebooksell.kr/mall/m_schema.php

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 19, 2023, 9:34 a.m.	process_identifier: 2560 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 19, 2023, 9:35 a.m.	process_identifier: 2560 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 19, 2023, 9:35 a.m.	process_identifier: 2560 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 19, 2023, 9:35 a.m.	process_identifier: 2560 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
FireEye	Generic.mg.842b0d0eb01716a9
ALYac	Backdoor.Agent.status
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.36318.wq3@amu@YVbi
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.GenericML.xnet
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Virus.Win32.CeeInject
Antiy-AVL	Trojan/Win32.Sonbokli
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:Trojan.Win32.GenericML.xnet
Google	Detected
McAfee	Artemis!842B0D0EB017
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Rising	Trojan.Generic@AI.96 (RDML:j60fWFoEihUF5Rsl06HbAA)
MaxSecure	Virus.Patched.OF
Fortinet	W32/PossibleThreat

CTFMON.EXE