Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

agent.exe

Malicious Library UPX Malicious Packer PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 6:49 p.m.	Dec. 14, 2023, 7:14 p.m.

Size	1.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`ca2de368c8a4930ce09986cd9f9f2280`
SHA256	`92cb40da4005ec3db7cee58b601273f30d92f23b94ace05e818a55cb3aeedb1c`
CRC32	`86173BD1`
ssdeep	`24576:evttKL0Qpmn1dz8VVv6RKK8+m9e6FpVWu2P:e1YWu2`
Yara	Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

agent.exe "C:\Users\test22\AppData\Local\Temp\agent.exe"
2572

Name	Response	Post-Analysis Lookup
cs.lvsehacker.com	A 172.67.217.152 A 104.21.59.67	104.21.59.67

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.217.152	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 172.67.217.152:2053	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 172.67.217.152:2053	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 172.67.217.152:2053	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 172.67.217.152:2053	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 172.67.217.152:2053	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 172.67.217.152:2053	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lvsehacker.com	1b:94:94:77:08:15:73:c1:3c:5a:03:63:d6:04:b5:8d:7b:6b:36:dd
TLSv1 192.168.56.101:49167 172.67.217.152:2053	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lvsehacker.com	1b:94:94:77:08:15:73:c1:3c:5a:03:63:d6:04:b5:8d:7b:6b:36:dd
TLSv1 192.168.56.101:49168 172.67.217.152:2053	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lvsehacker.com	1b:94:94:77:08:15:73:c1:3c:5a:03:63:d6:04:b5:8d:7b:6b:36:dd
TLSv1 192.168.56.101:49166 172.67.217.152:2053	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lvsehacker.com	1b:94:94:77:08:15:73:c1:3c:5a:03:63:d6:04:b5:8d:7b:6b:36:dd
TLSv1 192.168.56.101:49163 172.67.217.152:2053	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=lvsehacker.com	1b:94:94:77:08:15:73:c1:3c:5a:03:63:d6:04:b5:8d:7b:6b:36:dd

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Dec. 14, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 14, 2023, 6:42 p.m.	process_identifier: 2572 region_size: 311296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000002b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Dec. 14, 2023, 6:42 p.m.	process_identifier: 2572 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware [Drp]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	VirTool:Win64/CobaltStrike.411d03a7
Kingsoft	Win32.Trojan.Cobalt.a
Microsoft	VirTool:Win32/CobaltStrike.F
ZoneAlarm	UDS:DangerousObject.Multi.Generic
DeepInstinct	MALICIOUS
MaxSecure	Trojan.Malware.300983.susgen
AVG	FileRepMalware [Drp]
CrowdStrike	win/malicious_confidence_100% (W)