Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 2, 2023, 9:51 a.m.	Aug. 2, 2023, 10:15 a.m.

Size	524.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`12e493f7a5f1d8487239d477631457b9`
SHA256	`0c21cc2b9bf1e49a8b2eada21a695170c89a52fe209b13c6b136cb189fd62abb`
CRC32	`64B6FD93`
ssdeep	`12288:q1DmCRaGA1J9NlMn1zn+AWkCDb8we0Yz2yCHBhaaB8O:IKCYTza1zNWkAQZ0M2yCj`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature IsPE32 - (no description)

fffffff.exe1 "C:\Users\test22\AppData\Local\Temp\fffffff.exe1"
1208

Name	Response	Post-Analysis Lookup
lisfwhite.ch2eck.yaheoo.com
listwhfite.check3.yaho1o.com

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.212.47.65	Active	Moloch
45.155.249.172	Active	Moloch
78.138.9.136	Active	Moloch
79.132.130.230	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 78.138.9.136:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 185.212.47.65:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 79.132.130.230:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 45.155.249.172:80	2033203	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 45.155.249.172:80	2033204	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (17 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:51 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:53 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 2, 2023, 9:53 a.m.	computer_name:		0
GetComputerNameW Aug. 2, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 2, 2023, 9:51 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://185.212.47.65/zerotohero/cdXm_2FVJxK0LegSF/qWrY8fts8Fcq/0NYojf5UlKt/8DhxFr0B_2FsfH/yh95t8o1NlDiZvluicJ4e/y3s9rzRcxmXrVVJ7/Ka_2BqSUQBoccRO/pPeTmlMcibaZ1A8GB4/_2FCWWzpa/5CmD7rRKRlIWq5D4qu77/BGDeyVKNAc3pBFiPPX0/ncnmY9UmOi2ZepGuelaMz6/Fs7cUQ3jbJA0N/WaIYzdmN/W999YPszzQ3zvI2rKp8ilbI/G0MSN_2FTg/61lr6bk_2FfsZ31Jt/feVTEck3UWfb/5ZQcZoVE/Sy48y.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://45.155.249.172/zerotohero/_2BNfe26Q_2BhpzcY80eoW/2IbQqms219ain/8xo_2BRo/O79HFwawAOqR1xwy3PGyFgp/h2FreaMQGU/PghXl8ePxYt85SSHr/L_2B7SHWLYe8/Jvu0omXw0U8/B2o2reD4ai5rDs/W5ZivSf7_2FvcBaSlziH8/2oaBAztGA6DuRQnj/fby_2FNeLRkfUIG/Tb9pBn4LDJSKpggRop/2yOnyRMrq/hGr0R03Qs2AMMI3QMxF8/DcYedNwEbb0WMiSm2cz/GpYewdMSs8Cd7hz_2FvN34/4B_2By8bGbelM/gBrumlN3/yo9.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://78.138.9.136/zerotohero/BOMG5brBej/W6MNwYSFq4lSlX9tT/x4Y3Omef7UGN/WZhhSM2s5vi/V1FDzyIOh5EpoI/CWWIkqKkrw75RSUzXr7ex/W1RxkTyF3m2S3f2E/Y99btwsIJQuuhmN/lw3cuoTnNFNiXX7cu0/2whafmQx2/EkaF2FKoKeqHPMNHsEAQ/keKvvr9l1uzq8oU96Le/2jrUUusg_2B0I6xcr09dJj/XFvFn_2Fm4A8m/UqxdWdhP/VRi2h91sbdwC8lBB_2FDjJW/U_2ButnyPo/M3ehIUmus7lD5zNNn/gajTaRAeV8b6/0zF8WivYdTr/uC4wDLoi/v.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/DVrxwIAQMgsf7onOLh/XV75B5oFA/y1vXWahjjQZVMDH_2FiQ/4PZa4sHCsckUL377wx1/ZWvRgGdffXeg9iPEYWZ0h_/2BhA96Rc7xe4R/qby1FhUA/D3J5ocbPv6vcjAoxDEpqdg_/2BxvziDIQC/aLCB4AL9AMx8ac_2B/QNhLbiQcgZin/EpRbwzEa4e4/D_2BKwsvigFCN_/2FBg_2Fw3ZaNSpM8fK07N/yXdvG0NodEjK6LFi/2ZnEMcjmx0YgxZI/dLH_2BvcUmTIQFitsY/hIm1muN9Q/YX6gqoj0w/GcFQn4vTy/4.asi
suspicious_features	Connection to IP address	suspicious_request	GET http://79.132.130.230/zerotohero/K3vk9WJHpEMX6hbZw9tQyo5/AMBJbLu6tj/I4dyyPRvEIc_2Bo5I/2NUNLIkQqXoM/4CLXycYanau/8WFUZdkBqHxj0k/G1Dz8Bb1qnisHoMvqFItJ/4wfCjdP1Gf4MD015/_2Fjg_2BwAknLxt/5g2XdSihMUmd7kf0Vf/ZYb5g5bV4/ib0vVzu4C_2FW6ak5OEU/GWK9iVTriGnuRYnmHaa/jVg20muCMLk3bbDqYb9K4b/WNo_2BGUwzd9k/NzS1SsLQ/d6CTTcaEu36FGNawX2R0Kqo/C38zpv3wa/W12SJCNS.asi

Performs some HTTP requests (5 events)

request	GET http://185.212.47.65/zerotohero/cdXm_2FVJxK0LegSF/qWrY8fts8Fcq/0NYojf5UlKt/8DhxFr0B_2FsfH/yh95t8o1NlDiZvluicJ4e/y3s9rzRcxmXrVVJ7/Ka_2BqSUQBoccRO/pPeTmlMcibaZ1A8GB4/_2FCWWzpa/5CmD7rRKRlIWq5D4qu77/BGDeyVKNAc3pBFiPPX0/ncnmY9UmOi2ZepGuelaMz6/Fs7cUQ3jbJA0N/WaIYzdmN/W999YPszzQ3zvI2rKp8ilbI/G0MSN_2FTg/61lr6bk_2FfsZ31Jt/feVTEck3UWfb/5ZQcZoVE/Sy48y.asi
request	GET http://45.155.249.172/zerotohero/_2BNfe26Q_2BhpzcY80eoW/2IbQqms219ain/8xo_2BRo/O79HFwawAOqR1xwy3PGyFgp/h2FreaMQGU/PghXl8ePxYt85SSHr/L_2B7SHWLYe8/Jvu0omXw0U8/B2o2reD4ai5rDs/W5ZivSf7_2FvcBaSlziH8/2oaBAztGA6DuRQnj/fby_2FNeLRkfUIG/Tb9pBn4LDJSKpggRop/2yOnyRMrq/hGr0R03Qs2AMMI3QMxF8/DcYedNwEbb0WMiSm2cz/GpYewdMSs8Cd7hz_2FvN34/4B_2By8bGbelM/gBrumlN3/yo9.asi
request	GET http://78.138.9.136/zerotohero/BOMG5brBej/W6MNwYSFq4lSlX9tT/x4Y3Omef7UGN/WZhhSM2s5vi/V1FDzyIOh5EpoI/CWWIkqKkrw75RSUzXr7ex/W1RxkTyF3m2S3f2E/Y99btwsIJQuuhmN/lw3cuoTnNFNiXX7cu0/2whafmQx2/EkaF2FKoKeqHPMNHsEAQ/keKvvr9l1uzq8oU96Le/2jrUUusg_2B0I6xcr09dJj/XFvFn_2Fm4A8m/UqxdWdhP/VRi2h91sbdwC8lBB_2FDjJW/U_2ButnyPo/M3ehIUmus7lD5zNNn/gajTaRAeV8b6/0zF8WivYdTr/uC4wDLoi/v.asi
request	GET http://79.132.130.230/zerotohero/DVrxwIAQMgsf7onOLh/XV75B5oFA/y1vXWahjjQZVMDH_2FiQ/4PZa4sHCsckUL377wx1/ZWvRgGdffXeg9iPEYWZ0h_/2BhA96Rc7xe4R/qby1FhUA/D3J5ocbPv6vcjAoxDEpqdg_/2BxvziDIQC/aLCB4AL9AMx8ac_2B/QNhLbiQcgZin/EpRbwzEa4e4/D_2BKwsvigFCN_/2FBg_2Fw3ZaNSpM8fK07N/yXdvG0NodEjK6LFi/2ZnEMcjmx0YgxZI/dLH_2BvcUmTIQFitsY/hIm1muN9Q/YX6gqoj0w/GcFQn4vTy/4.asi
request	GET http://79.132.130.230/zerotohero/K3vk9WJHpEMX6hbZw9tQyo5/AMBJbLu6tj/I4dyyPRvEIc_2Bo5I/2NUNLIkQqXoM/4CLXycYanau/8WFUZdkBqHxj0k/G1Dz8Bb1qnisHoMvqFItJ/4wfCjdP1Gf4MD015/_2Fjg_2BwAknLxt/5g2XdSihMUmd7kf0Vf/ZYb5g5bV4/ib0vVzu4C_2FW6ak5OEU/GWK9iVTriGnuRYnmHaa/jVg20muCMLk3bbDqYb9K4b/WNo_2BGUwzd9k/NzS1SsLQ/d6CTTcaEu36FGNawX2R0Kqo/C38zpv3wa/W12SJCNS.asi

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 2, 2023, 9:51 a.m.	process_identifier: 1208 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0001f000', u'virtual_address': u'0x00001000', u'entropy': 7.007216587946333, u'name': u'.text', u'virtual_size': u'0x0001e313'}

entropy

7.00721658795

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0005b000', u'virtual_address': u'0x00020000', u'entropy': 7.982485624268267, u'name': u'.rdata', u'virtual_size': u'0x0005a153'}

entropy

7.98248562427

description

A section with a high entropy has been found

entropy

0.938461538462

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (4 events)

host	185.212.47.65
host	45.155.249.172
host	78.138.9.136
host	79.132.130.230

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 2, 2023, 9:51 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 2, 2023, 9:51 a.m.	key_handle: 0x00000330 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
FireEye	Generic.mg.12e493f7a5f1d848
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00549d461 )
K7GW	Trojan ( 00549d461 )
Cybereason	malicious.347eb6
Symantec	Packed.Generic.553
tehtris	Generic.Malware
APEX	Malicious
Cynet	Malicious (score: 100)
NANO-Antivirus	Virus.Win32.Gen.ccmw
Sophos	Mal/EncPk-APX
Trapmine	suspicious.low.ml.score
SentinelOne	Static AI - Malicious PE
Microsoft	Program:Win32/Wacapew.C!ml
Google	Detected
BitDefenderTheta	Gen:NN.ZexaF.36348.Gu0@aeWpXDci
VBA32	BScope.Backdoor.Dridex
Malwarebytes	MachineLearning/Anomalous.100%
Rising	Trojan.Generic@AI.91 (RDML:6zgeAFwHW4a5Z6Nvl7/HQg)
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

fffffff.exe1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All