popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

client.exe

Malicious Library Antivirus UPX Malicious Packer ftp PE64 PE File OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 27, 2023, 9:23 a.m. Nov. 27, 2023, 9:32 a.m.
Size 14.7MB
Type PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5 0170f9a9cf779fefa88e3a93dd551712
SHA256 980a9e9f44aca2a0503c0bdc356c97a8d72439332f0c592317454be367ff4f53
CRC32 A2F7B10D
ssdeep 196608:mdswEiI/C5CnZTH8KxV2AonzpHgYTW2fICxPiCGzio+f:idE96gTHlV2AmzPTW2fIwiio+f
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Antivirus - Contains references to security software
  • ftp_command - ftp command
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: No destination specified
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: usage: client.exe" --[foreground|fingerprint|proxy|process_name] -d|--destination <server_address>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: -d or --destination Server connect back address (can be baked in)
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: --foreground Causes the client to run without forking to background
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: --fingerprint Server public key SHA256 hex fingerprint for auth
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: --proxy Location of HTTP connect proxy to use
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: --process_name Process name shown in tasklist/process list
console_handle: 0x0000000000000007
1 1 0
section .symtab
section {u'size_of_data': u'0x000a5400', u'virtual_address': u'0x00b3a000', u'entropy': 7.996442801185556, u'name': u'/19', u'virtual_size': u'0x000a5237'} entropy 7.99644280119 description A section with a high entropy has been found
section {u'size_of_data': u'0x00022c00', u'virtual_address': u'0x00be0000', u'entropy': 7.946774026590995, u'name': u'/32', u'virtual_size': u'0x00022aa1'} entropy 7.94677402659 description A section with a high entropy has been found
section {u'size_of_data': u'0x00148c00', u'virtual_address': u'0x00c04000', u'entropy': 7.998305609971668, u'name': u'/65', u'virtual_size': u'0x00148aff'} entropy 7.99830560997 description A section with a high entropy has been found
section {u'size_of_data': u'0x000d2c00', u'virtual_address': u'0x00d4d000', u'entropy': 7.995678289832637, u'name': u'/78', u'virtual_size': u'0x000d2b94'} entropy 7.99567828983 description A section with a high entropy has been found
section {u'size_of_data': u'0x00035e00', u'virtual_address': u'0x00e20000', u'entropy': 7.820843419907411, u'name': u'/90', u'virtual_size': u'0x00035ce3'} entropy 7.82084341991 description A section with a high entropy has been found
entropy 0.21033271474 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007fefe467a50
function_name: wine_get_version
module: ntdll
module_address: 0x00000000776c0000
-1073741511 0