popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

demosyscalls.exe

Generic Malware PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 7, 2023, 8:30 a.m. Aug. 7, 2023, 8:38 a.m.
Size 89.5KB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 e3f125e7cc88a1c53cc68e1bcb273191
SHA256 ebdc54df582be1cafb91a1948657212fe50229b09071b1cbb3d1b660cc707fc5
CRC32 4C6067C4
ssdeep 768:9bgyYWldBM19THIh9TxzGtZ4o+BGwC6M6IT7JAD14lthdxALrCPx1VskZhba/ejR:eyZ4THI7QQy7J84JACjZpbdHQz0PsYr
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
157.245.47.66 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 157.245.47.66:443 -> 192.168.56.103:49162 2037599 ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49162
157.245.47.66:443 		C=US, ST=Washington, L=Seattle, unknown=, unknown=6274, O=DEBUG, CN=157.245.47.66 C=US, ST=Washington, L=Seattle, unknown=, unknown=6274, O=DEBUG, CN=157.245.47.66 85:61:c7:e7:c5:c0:ad:d8:64:79:ba:64:b7:b5:78:8d:6d:13:88:3d

suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://157.245.47.66/funny_cat.gif
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://157.245.47.66/test.txt
request POST https://157.245.47.66/funny_cat.gif
request POST https://157.245.47.66/test.txt
request POST https://157.245.47.66/funny_cat.gif
request POST https://157.245.47.66/test.txt
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002320000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1684
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002370000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
host 157.245.47.66
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Bkav W32.Common.A5AE1530
Lionic Trojan.Win32.Havoc.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.68260049
FireEye Trojan.GenericKD.68260049
McAfee RDN/Generic BackDoor
Cylance unsafe
Sangfor Backdoor.Win64.Havoc.Vndr
K7AntiVirus Trojan ( 005a69471 )
Alibaba Backdoor:Win64/Havoc.9598b1c7
K7GW Trojan ( 005a69471 )
Cybereason malicious.0cff22
Arcabit Trojan.Generic.D41190D1
Cyren W64/ABRisk.HXJN-5827
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/Havoc.D
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky Backdoor.Win64.Havoc.aex
BitDefender Trojan.GenericKD.68260049
Avast Win64:Evo-gen [Trj]
Tencent Malware.Win32.Gencirc.13d08e11
Sophos Mal/Generic-S
VIPRE Trojan.GenericKD.68260049
TrendMicro TROJ_GEN.R023C0XFE23
McAfee-GW-Edition BehavesLike.Win64.Backdoor.mm
Emsisoft Trojan.GenericKD.68260049 (B)
Antiy-AVL Trojan/Win64.Havoc
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm Backdoor.Win64.Havoc.aex
GData Trojan.GenericKD.68260049
Google Detected
MAX malware (ai score=88)
Malwarebytes Malware.AI.1694180533
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R023C0XFE23
Rising Backdoor.Havoc!8.970A (TFE:3:5kYgA61wTIM)
Ikarus Trojan.Win64.Havoc
MaxSecure Trojan.Malware.209914176.susgen
Fortinet W64/Havoc.D!tr
AVG Win64:Evo-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)