Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 6:49 p.m.	Dec. 14, 2023, 6:54 p.m.

Size	519.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2911eb04c29466ee568e1b6e169a4f9d`
SHA256	`38d0fb83604f1fded6fba26b2f7d38984d5964afb96334ef750694d4e91fc323`
CRC32	`1C7B1C8E`
ssdeep	`12288:gAr1pRE1bJay6OXZ6/gew5JBW2YItxdn:gAr67ayHc0Htx`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

filex.exe "C:\Users\test22\AppData\Local\Temp\filex.exe"
2568

Name	Response	Post-Analysis Lookup
keewoolas.pw
moskhoods.pw
taretool.pw
dayzilons.pw
killredls.pw
steycools.pw
bloockflad.pw
revivalsecularas.pw
bookgames.pw

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 6:49 p.m.		1	1	0

Resolves a suspicious Top Level Domain (TLD) (9 events)

domain	bloockflad.pw	description	Palau domain TLD
domain	bookgames.pw	description	Palau domain TLD
domain	steycools.pw	description	Palau domain TLD
domain	killredls.pw	description	Palau domain TLD
domain	dayzilons.pw	description	Palau domain TLD
domain	moskhoods.pw	description	Palau domain TLD
domain	revivalsecularas.pw	description	Palau domain TLD
domain	taretool.pw	description	Palau domain TLD
domain	keewoolas.pw	description	Palau domain TLD

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006f000', u'virtual_address': u'0x00001000', u'entropy': 6.828153927528255, u'name': u'.text', u'virtual_size': u'0x0006ef08'}

entropy

6.82815392753

description

A section with a high entropy has been found

entropy

0.856316297011

description

Overall entropy of this PE file is high

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealerc.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Corrupt.hh
ALYac	Gen:Variant.Zusy.488690
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.488690
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Spyware ( 0054b9f91 )
BitDefender	Gen:Variant.Zusy.488690
K7GW	Spyware ( 0054b9f91 )
Cybereason	malicious.ff8c75
Arcabit	Trojan.Zusy.D774F2
VirIT	Trojan.Win32.Genus.UFQ
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Spy.Agent.PRG
APEX	Malicious
McAfee	Artemis!2911EB04C294
Avast	Win32:SpywareX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.Win32.Lumma.pef
Alibaba	TrojanPSW:Win32/LummaStealer.7575c099
NANO-Antivirus	Trojan.Win32.Stealerc.kdyymr
MicroWorld-eScan	Gen:Variant.Zusy.488690
Rising	Spyware.Agent!8.C6 (TFE:5:6eu1UroGlGH)
Emsisoft	Gen:Variant.Zusy.488690 (B)
F-Secure	Trojan.TR/Spy.Agent.vavlr
DrWeb	Trojan.PWS.Lumma.69
Zillya	Trojan.Agent.Win32.3770508
TrendMicro	TROJ_GEN.R002C0DKQ23
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.2911eb04c29466ee
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Win32.Agent
Jiangmin	Trojan.PSW.Stealerc.st
Google	Detected
Avira	TR/Spy.Agent.vavlr
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Sabsik
Kingsoft	malware.kb.a.998
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/LummaStealer.MB!MTB
ViRobot	Trojan.Win.Z.Agent.531968.I
ZoneAlarm	HEUR:Trojan-PSW.Win32.Lumma.pef
GData	Gen:Variant.Zusy.488690
Varist	W32/Stealer.GG.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R611473
BitDefenderTheta	Gen:NN.ZexaF.36608.GqW@aCZaesm
TACHYON	Trojan-PWS/W32.Stealerc.531968
DeepInstinct	MALICIOUS

filex.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All