popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

INV-Details-JUL2023(228).exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 26, 2023, 5:22 p.m. July 26, 2023, 5:24 p.m.
Size 447.7KB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 7606cb661c19b880bb13e39502660c25
SHA256 8758ec1be9412b853ef47126984ac9ae889624df14bb9017e96cf6b4ac4fc5f6
CRC32 13D26BE1
ssdeep 6144:lWuzYM1ukesfTqAYVTuFOBTfh3SVOFJzlBSFHds79zAADpgSHK6Bdun8r:l3zjukBCiFel3tFJz6DeDpgSHKUMnk
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
filtaferamoza.com
A 128.199.3.164
128.199.3.164
IP Address Status Action
128.199.3.164 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49163 -> 128.199.3.164:80 2032086 ET MALWARE Win32/IcedID Request Cookie A Network Trojan was detected
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2046894 ET MALWARE DNS Query for IcedID Domain (filtaferamoza .com) A Network Trojan was detected
TCP 192.168.56.102:49163 -> 128.199.3.164:80 2032086 ET MALWARE Win32/IcedID Request Cookie A Network Trojan was detected

Suricata TLS

No Suricata TLS

suspicious_features GET method with no useragent header suspicious_request GET http://filtaferamoza.com/
request GET http://filtaferamoza.com/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000401000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3020
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000401000
process_handle: 0xffffffffffffffff
1 0 0
description INV-Details-JUL2023(228).exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds