Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.23 08:09
컬러풀대구 웨딩박람회, 오는 10월 엑스...
09.23 08:09
3D Printing a Wire-Wra...
09.23 07:09
Three Media Moguls Are...
09.23 07:09
Harris Vows to Grow AI...
09.23 07:09
September 23, 2024
09.23 06:09
Apollo to Offer Multib...
09.23 05:09
The Russian APT Tool M...
09.23 05:09
Hackaday Links: Septem...
09.23 05:09
Fed’s Rate Cut Comes W...
09.23 05:09
Schluss mit Bildmanipu...

Summary | ZeroBOX

svchost1.exe

UPX Malicious Library OS Processor Check PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 6:52 p.m.	Dec. 14, 2023, 6:56 p.m.

Size	191.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`70087277fa67c53783f5cbe4022bd2d1`
SHA256	`24c323f9be2d7476c9233e35a10dcf35d58e25b956dfdfa15e492edbb02153b8`
CRC32	`3F86915B`
ssdeep	`3072:+rEv9lomY7Z5dcKXefLNjLt2eo8j6ERhnGxMBoGlY5TQEIj4pkv7gEyR76t1t:lv8p5dDef9tlPjHRR8MDlwpkvl476t`
PDB Path	D:\ä¸æ¹ Visual Studio 2022\HTML\Release\HTML.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.92.16.100	Active	Moloch
38.181.25.204	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 154.92.16.100:80 -> 192.168.56.101:49161	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 38.181.25.204:5858	CN=VenomRAT Server/OU=qwqdanchun/O=VenomRAT By qwqdanchun/L=SH/C=CN	CN=VenomRAT	99:21:ce:1f:4b:a8:82:59:70:ee:2e:47:8d:31:77:8b:95:52:aa:23
TLSv1 192.168.56.101:49174 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49167 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49165 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49177 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49168 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49166 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49169 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49170 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49176 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49172 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49179 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49180 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49175 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49171 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49173 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49178 38.181.25.204:5858	None	None	None
TLSv1 192.168.56.101:49181 38.181.25.204:5858	None	None	None

This executable has a PDB path (1 event)

pdb_path

D:\ä¸æ¹ Visual Studio 2022\HTML\Release\HTML.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://154.92.16.100/Admin/Admin.html

Performs some HTTP requests (1 event)

request

GET http://154.92.16.100/Admin/Admin.html

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Avast	FileRepMalware [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
VBA32	SigCompromised.MEDIATEKINC
AVG	FileRepMalware [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Communicates with host for which no DNS query was performed (2 events)

host	154.92.16.100
host	38.181.25.204