Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 14, 2023, 12:53 p.m.	Oct. 14, 2023, 12:59 p.m.

Size	380.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1a687a4c22bfcb3fcf4c19a05d6da9e5`
SHA256	`a9e9f0228004dc8b1b76218a91f71612a9ff00fa12f05e048b76a7aa64792c38`
CRC32	`5D9224B5`
ssdeep	`6144:cm0fUcaLudpcSVBdtQ+edbC+HuLPyv0no9TBPfUc7WWxa0e3fqexxV:3rchVBcHpC+Hu2vuo9TxvYLz`
PDB Path	p:\router\proxy\dzb\url\Framework\3A\x64\desktop\b5v.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE32 - (no description) Antivirus - Contains references to security software OS_Processor_Check_Zero - OS Processor Check

AppaltQD.exe "C:\Users\test22\AppData\Local\Temp\AppaltQD.exe"
840

Name	Response	Post-Analysis Lookup
www.ieee802.org	A 54.84.190.55	54.84.190.55

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.84.190.55	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 54.84.190.55:443 -> 192.168.56.103:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 54.84.190.55:443 -> 192.168.56.103:49161	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 54.84.190.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 54.84.190.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 54.84.190.55:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

p:\router\proxy\dzb\url\Framework\3A\x64\desktop\b5v.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

FEATURE

Foreign language identified in PE resource (6 events)

name

FEATURE

language

LANG_CHINESE

filetype

ASCII text, with no line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00057228

size

0x00000097

name

RT_ICON

language

LANG_CHINESE

filetype

PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000572c0

size

0x00005922

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005cbe4

size

0x000000ae

name

RT_RCDATA

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005cc94

size

0x00000080

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005cd14

size

0x00000014

name

RT_MANIFEST

language

LANG_CHINESE

filetype

ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005cf78

size

0x0000015a

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00006200', u'virtual_address': u'0x00057000', u'entropy': 7.68218947159801, u'name': u'.rsrc', u'virtual_size': u'0x000060d2'}

entropy

7.6821894716

description

A section with a high entropy has been found

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

MicroWorld-eScan	Trojan.GenericKD.69762698
FireEye	Trojan.GenericKD.69762698
McAfee	Artemis!1A687A4C22BF
Cylance	unsafe
BitDefender	Trojan.GenericKD.69762698
Emsisoft	Trojan.GenericKD.69762698 (B)
Microsoft	TrojanDropper:Win32/Vigorf.A
GData	Trojan.GenericKD.69762698
MAX	malware (ai score=80)
VBA32	suspected of Trojan.Downloader.gen
TrendMicro-HouseCall	TROJ_GEN.R002V01JA23
DeepInstinct	MALICIOUS
CrowdStrike	win/grayware_confidence_60% (W)

AppaltQD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All