Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2023, 7:48 a.m.	Aug. 30, 2023, 7:50 a.m.

Size	840.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e35f56f0085e9bc842148702e7ba0faf`
SHA256	`584e30eef839ce1e4b4b796bc8af2de7ea7248141b052a91c910ec8d0bc3a2ac`
CRC32	`50D5B13F`
ssdeep	`12288:cVwlbU9NnQYaliI7K850Mc/5k9PU5eAHCbJ8rUkkeA5x5DQRsJ:cow9JOiI7KDjuWeAprFs5xxusJ`
PDB Path	C:\suve\bimum.pdb
Yara	Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

test10.exe "C:\Users\test22\AppData\Local\Temp\test10.exe"
2244
- icacls.exe icacls "C:\Users\test22\AppData\Local\3597f98d-1c0e-40d3-90b2-ca1942d842b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2540

Name	Response	Post-Analysis Lookup
api.2ip.ua	A 162.0.217.254	162.0.217.254

IP Address	Status	Action
162.0.217.254	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 162.0.217.254:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 30, 2023, 7:49 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\suve\bimum.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ad000', u'virtual_address': u'0x00001000', u'entropy': 7.926004792219778, u'name': u'.text', u'virtual_size': u'0x000aceb6'}

entropy

7.92600479222

description

A section with a high entropy has been found

entropy

0.824791418355

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (25 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\3597f98d-1c0e-40d3-90b2-ca1942d842b6\test10.exe" --AutoStart

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2244 resumed a thread in remote process 2360
NtResumeThread Aug. 30, 2023, 7:49 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2360	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\3597f98d-1c0e-40d3-90b2-ca1942d842b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stop.13!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Heur.Mint.Titirez.0q0@M16p3Vk
FireEye	Generic.mg.e35f56f0085e9bc8
CAT-QuickHeal	Ransom.Stop.P5
Malwarebytes	MachineLearning/Anomalous.96%
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056f9be1 )
K7GW	Trojan ( 0056f9be1 )
Cybereason	malicious.eedc51
Arcabit	Trojan.Mint.Titirez.EAC8A9
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HUMC
Cynet	Malicious (score: 100)
TrendMicro-HouseCall	TROJ_GEN.R002H07HT23
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	UDS:Trojan.Win32.Chapak.gen
BitDefender	Gen:Heur.Mint.Titirez.0q0@M16p3Vk
Avast	Win32:BootkitX-gen [Rtk]
Tencent	Trojan.Win32.Obfuscated.gen
Emsisoft	Gen:Heur.Mint.Titirez.0q0@M16p3Vk (B)
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.cc
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Krypt-VK
SentinelOne	Static AI - Malicious PE
Gridinsoft	Ransom.Win32.STOP.bot
Microsoft	Trojan:Win32/Amadey.RPQ!MTB
ZoneAlarm	UDS:Trojan.Win32.Chapak.gen
GData	Gen:Heur.Mint.Titirez.0q0@M16p3Vk
Google	Detected
Cylance	unsafe
APEX	Malicious
Rising	Trojan.Kryptik!1.B663 (CLASSIC)
MAX	malware (ai score=81)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HFSR!tr
AVG	Win32:BootkitX-gen [Rtk]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

test10.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All