Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.18 04:01
svc.exe
01.18 04:01
RemittanceForms.exe
01.18 04:01
Aristois-Free.jar
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe
01.18 10:01
Updater.exe

Latest News
01.20 01:01
KI statt Kanzler? Drei...
01.20 01:01
Donald Trump und die T...
01.20 12:01
An Instant Gratificati...
01.19 10:01
Apple Is Unlikely to B...
01.19 09:01
DIY Handheld is an Emu...
01.19 07:01
Behörde stärkt Sicherh...
01.19 07:01
Keine Bewegung, kein S...
01.19 07:01
Computing und KI: Die ...
01.19 06:01
Motorized Coil Tunes Y...
01.19 05:01
Anzeige: Microsoft-365...

Summary | ZeroBOX

svchost1.exe

UPX Malicious Library OS Processor Check PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 6:52 p.m.	Dec. 14, 2023, 6:56 p.m.

Size	191.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`70087277fa67c53783f5cbe4022bd2d1`
SHA256	`24c323f9be2d7476c9233e35a10dcf35d58e25b956dfdfa15e492edbb02153b8`
CRC32	`3F86915B`
ssdeep	`3072:+rEv9lomY7Z5dcKXefLNjLt2eo8j6ERhnGxMBoGlY5TQEIj4pkv7gEyR76t1t:lv8p5dDef9tlPjHRR8MDlwpkvl476t`
PDB Path	D:\ä¸æ¹ Visual Studio 2022\HTML\Release\HTML.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.92.16.100	Active	Moloch
38.181.25.204	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 154.92.16.100:80 -> 192.168.56.101:49161	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 38.181.25.204:5858	CN=VenomRAT Server/OU=qwqdanchun/O=VenomRAT By qwqdanchun/L=SH/C=CN	CN=VenomRAT	99:21:ce:1f:4b:a8:82:59:70:ee:2e:47:8d:31:77:8b:95:52:aa:23
TLSv1 192.168.56.101:49174 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49167 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49165 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49177 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49168 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49166 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49169 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49170 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49176 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49172 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49179 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49180 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49175 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49171 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49173 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49178 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49181 38.181.25.204:5858	None	None	None

This executable has a PDB path (1 event)

pdb_path

D:\ä¸æ¹ Visual Studio 2022\HTML\Release\HTML.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://154.92.16.100/Admin/Admin.html

Performs some HTTP requests (1 event)

request

GET http://154.92.16.100/Admin/Admin.html

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Avast	FileRepMalware [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
VBA32	SigCompromised.MEDIATEKINC
AVG	FileRepMalware [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Communicates with host for which no DNS query was performed (2 events)

host	154.92.16.100
host	38.181.25.204