popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

test20.exe

Malicious Packer UPX Malicious Library PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 21, 2023, 7:52 a.m. Nov. 21, 2023, 7:54 a.m.
Size 5.0MB
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5 fbd70a366b8f1c3e25e080cdd553930f
SHA256 f32a707eb324627cf5bd3904d8db2acb9bd71b506526d1aa153874b40f359452
CRC32 7DF989EE
ssdeep 49152:l/oG3crb/THvO90dL3BmAFd4A64nsfJsH4xjkNyCEHQPaHOKNMKVk9B/omcQHEKy:f3LwGf3uuEmRjU+G
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
179.60.147.176 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2046873 ET MALWARE CHAOS RAT CnC Server Status Check Malware Command and Control Activity Detected
TCP 192.168.56.103:49161 -> 179.60.147.176:8080 2046872 ET MALWARE CHAOS RAT Client Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49161 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2037145 ET MALWARE Win32/Khaosz.A!MTB Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2046873 ET MALWARE CHAOS RAT CnC Server Status Check Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2037145 ET MALWARE Win32/Khaosz.A!MTB Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2046873 ET MALWARE CHAOS RAT CnC Server Status Check Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2037145 ET MALWARE Win32/Khaosz.A!MTB Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2046873 ET MALWARE CHAOS RAT CnC Server Status Check Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2037145 ET MALWARE Win32/Khaosz.A!MTB Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 179.60.147.176:8080 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ┌────────────────────────────────────────────────────────────┐ │ CHAOS (dev) │ │ 179.60.147.176:8080 │ └────────────────────────────────────────────────────────────┘
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: [*] Successfully connected
console_handle: 0x0000000000000007
1 1 0
section .symtab
suspicious_features Connection to IP address suspicious_request GET http://179.60.147.176:8080/client
suspicious_features Connection to IP address suspicious_request GET http://179.60.147.176:8080/health
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://179.60.147.176:8080/device
request GET http://179.60.147.176:8080/client
request GET http://179.60.147.176:8080/health
request POST http://179.60.147.176:8080/device
request POST http://179.60.147.176:8080/device
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 16
family: 0
1 0 0
host 179.60.147.176
Bkav W64.AIDetectMalware
Malwarebytes RiskWare.RemoteAdmin.Chaos
Elastic malicious (high confidence)
ESET-NOD32 a variant of WinGo/RemoteAdmin.Chaos.D potentially unsafe
APEX Malicious
ClamAV Win.Malware.Chaos-10009236-0
Kaspersky HEUR:Backdoor.Win64.Agent.gen
Sophos ATK/Chaos-C
Google Detected
Varist W64/Agent.EUK.gen!Eldorado
ZoneAlarm HEUR:Backdoor.Win64.Agent.gen
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Khaosz.R575825
DeepInstinct MALICIOUS
Ikarus Trojan.SuspectCRC
MaxSecure Trojan.Malware.300983.susgen
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007fefe467a50
function_name: wine_get_version
module: ntdll
module_address: 0x00000000776c0000
-1073741511 0