Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:15 p.m.	Dec. 11, 2023, 7:20 p.m.

Size	571.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`b6d15bc82d811c30d7e9633402bee9c2`
SHA256	`8177a82bb9f46bb3a6b01b59eb6fbfc1bfebd9ba5147a5685ee49d6a9aa22002`
CRC32	`D86669DF`
ssdeep	`12288:o3ubKEsUNigEpgsI02qw67AjvhExMv3AO25aBcTA:aubKDgEpywweIAMohA`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description)

DLL%20Injector%20Resou%E2%80%AEnls..scr "C:\Users\test22\AppData\Local\Temp\DLL%20Injector%20Resou%E2%80%AEnls..scr"
1664

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
textbin.net	A 148.72.177.212	148.72.177.212

IP Address	Status	Action
121.254.136.9	Active	Moloch
148.72.177.212	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 148.72.177.212:443	2037786	ET INFO Pastebin-style Service (textbin .net in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49161 -> 148.72.177.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49161 148.72.177.212:443	C=US, O=Let's Encrypt, CN=R3	CN=textbin.net	e2:02:74:4e:e5:be:7e:79:a1:a7:e9:2e:d7:28:2d:19:26:9b:a6:92

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 11, 2023, 7:08 p.m.	stacktrace: dll%20injector%20resou%e2%80%aenls+0x9edb6 @ 0x13f44edb6 dll%20injector%20resou%e2%80%aenls+0xadb1b @ 0x13f45db1b dll%20injector%20resou%e2%80%aenls+0xad765 @ 0x13f45d765 dll%20injector%20resou%e2%80%aenls+0xad6b9 @ 0x13f45d6b9 dll%20injector%20resou%e2%80%aenls+0xad6a4 @ 0x13f45d6a4 dll%20injector%20resou%e2%80%aenls+0xc01b5 @ 0x13f4701b5 dll%20injector%20resou%e2%80%aenls+0xc05e4 @ 0x13f4705e4 dll%20injector%20resou%e2%80%aenls+0x2a1b @ 0x13f3b2a1b dll%20injector%20resou%e2%80%aenls+0x1006 @ 0x13f3b1006 dll%20injector%20resou%e2%80%aenls+0x2c01 @ 0x13f3b2c01 dll%20injector%20resou%e2%80%aenls+0xbf430 @ 0x13f46f430 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: cd 29 0f 0b cc cc cc cc cc cc 56 57 48 81 ec 98 exception.symbol: dll%20injector%20resou%e2%80%aenls+0x9edb6 exception.instruction: int 0x29 exception.module: DLL%20Injector%20Resou%E2%80%AEnls..scr exception.exception_code: 0xc0000005 exception.offset: 650678 exception.address: 0x13f44edb6 registers.r14: 0 registers.r15: 0 registers.rcx: 7 registers.rsi: 0 registers.r10: 3221225728 registers.rbx: 0 registers.rsp: 3013248 registers.r11: 5301085 registers.r8: 5357158912 registers.r9: 78 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 5058224 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 11, 2023, 7:08 p.m.

stacktrace:

dll%20injector%20resou%e2%80%aenls+0x9edb6 @ 0x13f44edb6
dll%20injector%20resou%e2%80%aenls+0xadb1b @ 0x13f45db1b
dll%20injector%20resou%e2%80%aenls+0xad765 @ 0x13f45d765
dll%20injector%20resou%e2%80%aenls+0xad6b9 @ 0x13f45d6b9
dll%20injector%20resou%e2%80%aenls+0xad6a4 @ 0x13f45d6a4
dll%20injector%20resou%e2%80%aenls+0xc01b5 @ 0x13f4701b5
dll%20injector%20resou%e2%80%aenls+0xc05e4 @ 0x13f4705e4
dll%20injector%20resou%e2%80%aenls+0x2a1b @ 0x13f3b2a1b
dll%20injector%20resou%e2%80%aenls+0x1006 @ 0x13f3b1006
dll%20injector%20resou%e2%80%aenls+0x2c01 @ 0x13f3b2c01
dll%20injector%20resou%e2%80%aenls+0xbf430 @ 0x13f46f430
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: cd 29 0f 0b cc cc cc cc cc cc 56 57 48 81 ec 98
exception.symbol: dll%20injector%20resou%e2%80%aenls+0x9edb6
exception.instruction: int 0x29
exception.module: DLL%20Injector%20Resou%E2%80%AEnls..scr
exception.exception_code: 0xc0000005
exception.offset: 650678
exception.address: 0x13f44edb6
registers.r14: 0
registers.r15: 0
registers.rcx: 7
registers.rsi: 0
registers.r10: 3221225728
registers.rbx: 0
registers.rsp: 3013248
registers.r11: 5301085
registers.r8: 5357158912
registers.r9: 78
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 5058224
registers.r13: 0

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 11, 2023, 7:08 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00084c00', u'virtual_address': u'0x000d4000', u'entropy': 7.9990786824538995, u'name': u'UPX1', u'virtual_size': u'0x00085000'}

entropy

7.99907868245

description

A section with a high entropy has been found

entropy

0.931578947368

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.70623876
FireEye	Generic.mg.b6d15bc82d811c30
Skyhigh	BehavesLike.Win64.VirRansom.hc
ALYac	Trojan.GenericKD.70623876
Malwarebytes	Malware.AI.3982124035
VIPRE	Trojan.GenericKD.70623876
Sangfor	Trojan.Win32.Agent.Vojf
Cybereason	malicious.1e8bb3
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
BitDefender	Trojan.GenericKD.70623876
Avast	Win64:BankerX-gen [Trj]
Emsisoft	Trojan.GenericKD.70623876 (B)
TrendMicro	TROJ_GEN.R002C0DLB23
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win64.Agent
Webroot	W32.Trojan.GenKD
Antiy-AVL	Trojan/Win32.Sabsik
Microsoft	Trojan:Win32/AsyncRat!MSR
Gridinsoft	Ransom.Win64.Sabsik.sa
Xcitium	Malware@#11oix1jgwmc99
Arcabit	Trojan.Generic.D435A284
ViRobot	Trojan.Win.Z.Agent.584704.CJ
GData	Trojan.GenericKD.70623876
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R612138
McAfee	Artemis!B6D15BC82D81
MAX	malware (ai score=85)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DLB23
Rising	Exploit.Convagent!8.12632 (TFE:5:hFui1khqHgV)
MaxSecure	Trojan.Malware.221151308.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:BankerX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

DLL%20Injector%20Resou%E2%80%AEnls..scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All