popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

demon.x64.exe

Generic Malware PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 7, 2023, 8:30 a.m. Aug. 7, 2023, 8:40 a.m.
Size 90.5KB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 9f395db62d14a0ef40d90404de9e6a9c
SHA256 d6a1a23efa1aa9e632f9e111e21070f0390678592d94fc75370d4325f45cf5d7
CRC32 135471B5
ssdeep 768:EIR0tFOAQJfLWMQyvh5+kI25cBvgpYybW8vK9/vdKircuudDTt1WfpMVKk5hqM1Q:xGFiQyr6rPhvdKbtDj57gbOsRBFr
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
157.245.47.66 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 157.245.47.66:443 -> 192.168.56.101:49161 2037599 ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
157.245.47.66:443 		C=US, ST=Washington, L=Seattle, unknown=, unknown=6274, O=DEBUG, CN=157.245.47.66 C=US, ST=Washington, L=Seattle, unknown=, unknown=6274, O=DEBUG, CN=157.245.47.66 85:61:c7:e7:c5:c0:ad:d8:64:79:ba:64:b7:b5:78:8d:6d:13:88:3d

suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://157.245.47.66/funny_cat.gif
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://157.245.47.66/test.txt
request POST https://157.245.47.66/funny_cat.gif
request POST https://157.245.47.66/test.txt
request POST https://157.245.47.66/funny_cat.gif
request POST https://157.245.47.66/test.txt
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000022f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
host 157.245.47.66
Lionic Trojan.Win32.Havoc.4!c
MicroWorld-eScan Trojan.Generic.33944143
FireEye Trojan.Generic.33944143
McAfee RDN/Generic BackDoor
Malwarebytes Malware.AI.1476941991
Sangfor Backdoor.Win64.Havoc.Vi17
K7AntiVirus Trojan ( 005a86411 )
Alibaba Backdoor:Win64/Havoc.1bea8353
K7GW Trojan ( 005a86411 )
Cybereason malicious.aeebb9
Arcabit Trojan.Generic.D205F24F
Cyren W64/ABRisk.RQFI-9008
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/Havoc.D
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky Backdoor.Win64.Havoc.agd
BitDefender Trojan.Generic.33944143
Avast Win64:Evo-gen [Trj]
Tencent Malware.Win32.Gencirc.11aa33a9
Emsisoft Trojan.Generic.33944143 (B)
VIPRE Trojan.Generic.33944143
TrendMicro TROJ_GEN.R023C0PFH23
McAfee-GW-Edition BehavesLike.Win64.Generic.nm
Sophos Generic Reputation PUA (PUA)
Ikarus Trojan.Win64.Havoc
MAX malware (ai score=89)
Antiy-AVL Trojan/Win64.Havoc
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm Backdoor.Win64.Havoc.agd
GData Trojan.Generic.33944143
Google Detected
ALYac Trojan.Generic.33944143
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R023C0PFH23
Rising Backdoor.Havoc!8.970A (TFE:3:5kYgA61wTIM)
Yandex Trojan.Havoc!bcVTcCF+0X4
MaxSecure Trojan.Malware.209925362.susgen
Fortinet W64/Havoc.D!tr
AVG Win64:Evo-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)