Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 6:52 p.m.	Dec. 14, 2023, 7:05 p.m.

Size	100.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`a5b4a20040379236d168fa0547598a54`
SHA256	`7355962a0b9eb57bbedbec7dd55c7a668a9229f5b9b1a9cdb747f2b5c5f8b974`
CRC32	`5DC10115`
ssdeep	`1536:jkIoalOYktfCM83vqrErpVE/kGE5+Kb+LwoMSJZNR5FObvb:LFITtfCMjcVE/kOXMSJZjPObvb`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
66.228.60.47	Active	Moloch

No Suricata Alerts

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 66.228.60.47:443	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	bb:9a:7f:1c:3f:0d:23:07:8e:c9:10:9f:2e:a1:af:cd:a4:86:b4:ea
TLSv1 192.168.56.103:49164 66.228.60.47:443	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	bb:9a:7f:1c:3f:0d:23:07:8e:c9:10:9f:2e:a1:af:cd:a4:86:b4:ea
TLSv1 192.168.56.103:49165 66.228.60.47:443	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	bb:9a:7f:1c:3f:0d:23:07:8e:c9:10:9f:2e:a1:af:cd:a4:86:b4:ea
TLSv1 192.168.56.103:49166 66.228.60.47:443	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	C=US, ST=Florida, L=Tampa, unknown=, unknown=4652, O=LLC, CN=66.228.60.47	bb:9a:7f:1c:3f:0d:23:07:8e:c9:10:9f:2e:a1:af:cd:a4:86:b4:ea

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 14, 2023, 6:52 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fa20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fa20000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 6:53 p.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 122880 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000013fa20000 process_handle: 0xffffffffffffffff	1

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 6:52 p.m.	flags: 15 family: 0		111	0

host

66.228.60.47

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.Generic.cm
ALYac	Generic.Trojan.Havokiz.Marte.D.28F89B35
Cylance	unsafe
VIPRE	Generic.Trojan.Havokiz.Marte.D.28F89B35
Sangfor	Backdoor.Win64.Havoc.V5ub
BitDefender	Generic.Trojan.Havokiz.Marte.D.28F89B35
Arcabit	Generic.Trojan.Havokiz.Marte.D.28F89B35
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Havoc_AGen.E
APEX	Malicious
McAfee	Agent-FYC!A5B4A2004037
Avast	Win64:Evo-gen [Trj]
Kaspersky	HEUR:Backdoor.Win64.C2.h
Alibaba	Backdoor:Win64/Havokiz.c76017b6
MicroWorld-eScan	Generic.Trojan.Havokiz.Marte.D.28F89B35
Rising	Backdoor.Havoc!8.970A (TFE:4:Muj2LsPTQQM)
Emsisoft	Generic.Trojan.Havokiz.Marte.D.28F89B35 (B)
F-Secure	Heuristic.HEUR/AGEN.1368308
FireEye	Generic.Trojan.Havokiz.Marte.D.28F89B35
Sophos	ATK/Havoc-G
Jiangmin	Backdoor.C2.d
Google	Detected
Avira	HEUR/AGEN.1368308
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win64.Havoc
Microsoft	Trojan:Win64/Havokiz.DX!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Generic.Trojan.Havokiz.Marte.D.28F89B35
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Tencent	Win64.Backdoor.C2.Lqil
SentinelOne	Static AI - Malicious PE
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

upsync.exe