Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 22, 2023, 8:09 a.m.	Dec. 22, 2023, 8:15 a.m.

Size	15.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a6f1e6b5775a94219b69a6261b36244a`
SHA256	`82d16b1428721a69501776eb26e14ecf76fe6e82a1d19c5fae6705a1cc0a4319`
CRC32	`49DF142C`
ssdeep	`384:DhnP/tVA42CM9c7JVTJMQWS+c73Q+VXiC+:DhP/tVA42V9cbTaQ8y3Q+tiC+`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Network_Downloader - File Downloader PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file

sl.exe "C:\Users\test22\AppData\Local\Temp\sl.exe"
1960
- winsvc.exe C:\Windows\winsvc.exe
  2100

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.3.19.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 193.3.19.247:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 193.3.19.247:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://193.3.19.247/Installed
suspicious_features	Connection to IP address				suspicious_request	GET http://193.3.19.247/pl.exe

Performs some HTTP requests (2 events)

request	GET http://193.3.19.247/Installed
request	GET http://193.3.19.247/pl.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Dec. 22, 2023, 8:09 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\AppData\Local\Temp\2535235.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\2535235.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

193.3.19.247

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service

reg_value

C:\Windows\winsvc.exe

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\sl.exe:Zone.Identifier
file	C:\Windows\winsvc.exe:Zone.Identifier

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Phorpiex.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.lm
ALYac	Dropped:Generic.Malware.S!dld!.BEA59C70
Cylance	unsafe
VIPRE	Dropped:Generic.Malware.S!dld!.BEA59C70
Sangfor	Trojan.Win32.Save.a
BitDefender	Dropped:Generic.Malware.S!dld!.BEA59C70
Cybereason	malicious.78656d
Arcabit	Generic.Malware.S!dld!.BEA59C70
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.V
APEX	Malicious
McAfee	Artemis!A6F1E6B5775A
Avast	Win32:WormX-gen [Wrm]
Kaspersky	HEUR:Trojan.Win32.Zonidel.gen
Alibaba	Worm:Win32/Zonidel.a1268435
MicroWorld-eScan	Dropped:Generic.Malware.S!dld!.BEA59C70
Rising	Worm.Phorpiex!1.DF9C (CLASSIC)
Emsisoft	Dropped:Generic.Malware.S!dld!.BEA59C70 (B)
F-Secure	Heuristic.HEUR/Malware
DrWeb	Trojan.DownLoader46.39952
Zillya	Worm.Phorpiex.Win32.3020
TrendMicro	Mal_DLDER
FireEye	Generic.mg.a6f1e6b5775a9421
Ikarus	Win32.Outbreak
Webroot	W32.Malware.Gen
Google	Detected
Avira	WORM/Phorpiex.absyt
MAX	malware (ai score=87)
Kingsoft	Win32.HeurC.KVMH017.a
Microsoft	Trojan:Win32/Leonem
ViRobot	Trojan.Win.Z.Phorpiex.15872.B
ZoneAlarm	HEUR:Trojan.Win32.Zonidel.gen
GData	Win32.Trojan.Phorpiex.D
Varist	W32/S-c70f2e64!Eldorado
AhnLab-V3	Trojan/Win.Dlder.C5556497
BitDefenderTheta	Gen:NN.ZexaF.36608.auW@amhtHqki
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Agent
Malwarebytes	Trojan.Downloader
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Mal_DLDER
Tencent	Win32.Trojan.Zonidel.Gajl
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Phorpiex.V!worm
AVG	Win32:WormX-gen [Wrm]
CrowdStrike	win/malicious_confidence_100% (W)

sl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All