popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

x-admins.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 2, 2023, 4:56 p.m. Aug. 2, 2023, 5:04 p.m.
Size 339.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 1bdfa5d4db8f961fb85677c4d8bb64f4
SHA256 2e54ec22a0d7931509bb5905acf51ac1f223d5bca7a46b9f9038291d7c80c6c9
CRC32 B5B75730
ssdeep 6144:ndkzF43SM5dCsenQjq2Zs4ogcAWUwxPk47oLFldV1jJrBBxRdE3ajPXoSI84KF:n6zF4vCT4q2Z7NBWrl7EzdH9BL5PXoSz
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
apps.identrust.com
A 121.254.136.27
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.67.53.27
nodejs--veyynveyynov.repl.co
A 35.186.245.55
35.186.245.55
IP Address Status Action
121.254.136.27 Active Moloch
164.124.101.2 Active Moloch
35.186.245.55 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 35.186.245.55:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49164 -> 35.186.245.55:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49166 -> 35.186.245.55:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49165 -> 35.186.245.55:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49161
35.186.245.55:443 		C=US, O=Let's Encrypt, CN=R3 CN=repl.co 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f
TLSv1
192.168.56.103:49164
35.186.245.55:443 		C=US, O=Let's Encrypt, CN=R3 CN=repl.co 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f
TLSv1
192.168.56.103:49166
35.186.245.55:443 		C=US, O=Let's Encrypt, CN=R3 CN=repl.co 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f
TLSv1
192.168.56.103:49165
35.186.245.55:443 		C=US, O=Let's Encrypt, CN=R3 CN=repl.co 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f

request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0004ee00', u'virtual_address': u'0x00083000', u'entropy': 7.998566539586151, u'name': u'UPX1', u'virtual_size': u'0x0004f000'} entropy 7.99856653959 description A section with a high entropy has been found
entropy 0.933431952663 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x00404e90
hook_identifier: 14 (WH_MOUSE_LL)
module_address: 0x00400000
1 66017 0
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x00404d20
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 197085 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Bkav W32.AIDetectMalware
FireEye Generic.mg.1bdfa5d4db8f961f
McAfee Artemis!1BDFA5D4DB8F
Malwarebytes Malware.AI.1914786265
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
Cynet Malicious (score: 100)
APEX Malicious
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine malicious.high.ml.score
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Script.auxn
Antiy-AVL Trojan/Win32.PossibleThreat
Xcitium Packed.Win32.MUPX.Gen@24tbus
Microsoft Trojan:Script/Phonzy.A!ml
AhnLab-V3 Malware/Win32.RL_Generic.R325756
Rising Trojan.Generic@AI.99 (RDML:AF2cKbJeSE3sCytm9DaVGA)
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/PossibleThreat
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_60% (W)