popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

INV-Details-JUL2023(224).exe

PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 26, 2023, 5:24 p.m. July 26, 2023, 5:26 p.m.
Size 447.7KB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 68def46fcf9076181826880b68a40191
SHA256 15699e202cf989dc2838ac0b52d37a7c291c32bf80a58d50a2b896f436a6e460
CRC32 05403983
ssdeep 6144:CWuzxM1ukesfTqAYVTuFOBTfh3SVOFJzlBSFHds79zAADpgSHK6BdunY/:C3zCukBCiFel3tFJz6DeDpgSHKUMnw
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
filtaferamoza.com
A 128.199.3.164
128.199.3.164
IP Address Status Action
128.199.3.164 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49163 -> 128.199.3.164:80 2032086 ET MALWARE Win32/IcedID Request Cookie A Network Trojan was detected
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2046894 ET MALWARE DNS Query for IcedID Domain (filtaferamoza .com) A Network Trojan was detected
TCP 192.168.56.102:49163 -> 128.199.3.164:80 2032086 ET MALWARE Win32/IcedID Request Cookie A Network Trojan was detected

Suricata TLS

No Suricata TLS

suspicious_features GET method with no useragent header suspicious_request GET http://filtaferamoza.com/
request GET http://filtaferamoza.com/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000401000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000401000
process_handle: 0xffffffffffffffff
1 0 0
description INV-Details-JUL2023(224).exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds