Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe
01.18 10:01
Updater.exe
01.17 05:01
beacon.exe
01.17 05:01
remcos_a2.exe
01.17 05:01
ogpayload.exe

Latest News
01.18 12:01
No Crystal Earpiece? N...
01.18 11:01
TikTok Says to ‘Go Dar...
01.18 10:01
‘Sneaky Log’ phishing ...
01.18 10:01
리튬코리아, 일본 스이린과 리튬 배터리 ...
01.18 10:01
Feds worry AT&T br...
01.18 10:01
AIs in Love, UEFI, For...
01.18 09:01
프롬한라, 제주 유정란 담은 반려견 간식...
01.18 09:01
무암(MooAm), 생성형 AI로 26종...
01.18 09:01
Trinteract Mini Space ...
01.18 09:01
IT Sicherheitsnews tae...

Summary | ZeroBOX

Setup.exe

UPX Malicious Library OS Processor Check PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 13, 2023, 8:34 a.m.	Oct. 13, 2023, 8:43 a.m.

Size	625.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`635da4ec16e32532e4e1f6919dad1df3`
SHA256	`c7b871b92bd7b5b4c355d3d9eff5ca0e86542243b13492e4a6e963bf4ff39bce`
CRC32	`9EF6CF82`
ssdeep	`12288:CzYxT9lhtufsnffgCFNwh1IRB0eX7mQ/oG4mkPHw1z:XrtuUffNRBZmOB4lPHmz`
PDB Path	F:\StryzonNet\Release\Setup.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

Setup.exe "C:\Users\test22\AppData\Local\Temp\Setup.exe"
872

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
103.54.250.99	Active	Moloch
104.20.55.214	Active	Moloch
104.21.1.213	Active	Moloch
104.21.27.205	Active	Moloch
104.21.50.138	Active	Moloch
104.21.55.151	Active	Moloch
104.21.68.7	Active	Moloch
104.21.73.229	Active	Moloch
104.21.76.140	Active	Moloch
104.21.77.146	Active	Moloch
104.21.79.166	Active	Moloch
104.21.92.170	Active	Moloch
104.26.0.82	Active	Moloch
104.26.10.81	Active	Moloch
104.26.12.244	Active	Moloch
104.26.2.124	Active	Moloch
141.193.213.20	Active	Moloch
172.67.129.18	Active	Moloch
172.67.134.134	Active	Moloch
172.67.140.52	Active	Moloch
172.67.142.169	Active	Moloch
172.67.148.35	Active	Moloch
172.67.150.80	Active	Moloch
172.67.156.49	Active	Moloch
172.67.173.200	Active	Moloch
172.67.181.113	Active	Moloch
172.67.193.133	Active	Moloch
172.67.198.26	Active	Moloch
172.67.199.57	Active	Moloch
172.67.201.26	Active	Moloch
172.67.209.11	Active	Moloch
172.67.212.131	Active	Moloch
172.67.33.252	Active	Moloch
172.67.70.22	Active	Moloch
185.208.164.106	Active	Moloch
185.63.228.45	Active	Moloch
186.230.14.42	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
193.231.236.124	Active	Moloch
193.57.67.4	Active	Moloch
200.40.52.151	Active	Moloch
23.227.38.74	Active	Moloch
34.174.61.199	Active	Moloch
46.242.233.27	Active	Moloch
64.26.60.153	Active	Moloch
76.223.54.146	Active	Moloch
80.147.223.166	Active	Moloch
81.22.97.159	Active	Moloch
83.56.13.220	Active	Moloch
88.198.0.105	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 13, 2023, 8:27 a.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

F:\StryzonNet\Release\Setup.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/line/?fields=hosting

Looks up the external IP address (1 event)

domain

ip-api.com

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Bkav	W64.AIDetectMalware
CrowdStrike	win/malicious_confidence_60% (W)
Avast	Win32:Dh-A [Heur]
Kingsoft	malware.kb.a.738
AVG	Win32:Dh-A [Heur]

Communicates with host for which no DNS query was performed (49 events)

host	103.54.250.99
host	104.20.55.214
host	104.21.1.213
host	104.21.27.205
host	104.21.50.138
host	104.21.55.151
host	104.21.68.7
host	104.21.73.229
host	104.21.76.140
host	104.21.77.146
host	104.21.79.166
host	104.21.92.170
host	104.26.0.82
host	104.26.10.81
host	104.26.12.244
host	104.26.2.124
host	141.193.213.20
host	172.67.129.18
host	172.67.134.134
host	172.67.140.52
host	172.67.142.169
host	172.67.148.35
host	172.67.150.80
host	172.67.156.49
host	172.67.173.200
host	172.67.181.113
host	172.67.193.133
host	172.67.198.26
host	172.67.199.57
host	172.67.201.26
host	172.67.209.11
host	172.67.212.131
host	172.67.33.252
host	172.67.70.22
host	185.208.164.106
host	185.63.228.45
host	186.230.14.42
host	193.231.236.124
host	193.57.67.4
host	200.40.52.151
host	23.227.38.74
host	34.174.61.199
host	46.242.233.27
host	64.26.60.153
host	76.223.54.146
host	80.147.223.166
host	81.22.97.159
host	83.56.13.220
host	88.198.0.105

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Oct. 13, 2023, 8:27 a.m.	module_name: snxhk.dll module_address: 0x0000000000000000 stack_pivoted: 0		-1073741515	0
LdrGetDllHandle Oct. 13, 2023, 8:27 a.m.	module_name: snxhk.dll module_address: 0x0000000000000000 stack_pivoted: 0		-1073741515	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.63.228.45:25