Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 23, 2023, 6:16 p.m.	Dec. 23, 2023, 6:27 p.m.

Size	100.0KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`c5352fea4e134e1a8e5e3a220d35be26`
SHA256	`3fd90f62078ea1670e2e813d02905b86ac306495840681475787e320a6bba17e`
CRC32	`0D312188`
ssdeep	`1536:ykJIalOYktfCM83vOpq9UVE/kGE5+Kb+LwoMSJZNx5FOwtbX:RlITtfCM72UVE/kOXMSJZDPOwtb`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware

UpdateCheck.exe "C:\Users\test22\AppData\Local\Temp\UpdateCheck.exe"
2004

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
195.35.25.136	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 195.35.25.136:443 -> 192.168.56.103:49161	2037601	ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 195.35.25.136:443	C=US, ST=Washington, L=Olympia, unknown=, unknown=6274, O=DEBUG, CN=195.35.25.136	C=US, ST=Washington, L=Olympia, unknown=, unknown=6274, O=DEBUG, CN=195.35.25.136	f7:b7:14:90:2f:cd:c6:fd:a4:19:3f:f6:da:34:05:54:df:7a:28:c6

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST https://195.35.25.136/

Performs some HTTP requests (1 event)

request

POST https://195.35.25.136/

Sends data using the HTTP POST Method (1 event)

request

POST https://195.35.25.136/

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 23, 2023, 6:09 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

195.35.25.136

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Havokiz.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.Trojan.Havokiz.Marte.D.06C457B0
CAT-QuickHeal	Trojan.Multi
Skyhigh	Agent-FYC!C5352FEA4E13
ALYac	Generic.Trojan.Havokiz.Marte.D.06C457B0
Cylance	unsafe
VIPRE	Generic.Trojan.Havokiz.Marte.D.06C457B0
Sangfor	Backdoor.Win64.Havoc.Vgqb
K7AntiVirus	Trojan ( 005a88b51 )
Alibaba	Backdoor:Win64/Havokiz.30efc697
K7GW	Trojan ( 005a88b51 )
CrowdStrike	win/malicious_confidence_100% (W)
VirIT	Trojan.Win64.Agent.BUS
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Havoc_AGen.E
APEX	Malicious
Kaspersky	Backdoor.Win64.Havoc.box
BitDefender	Generic.Trojan.Havokiz.Marte.D.06C457B0
Avast	Win64:Evo-gen [Trj]
Tencent	Malware.Win32.Gencirc.13fa4231
Emsisoft	Generic.Trojan.Havokiz.Marte.D.06C457B0 (B)
F-Secure	Heuristic.HEUR/AGEN.1368308
Zillya	Trojan.Havoc.Win64.86
TrendMicro	TROJ_GEN.R002C0DLI23
FireEye	Generic.Trojan.Havokiz.Marte.D.06C457B0
Sophos	ATK/Havoc-G
Ikarus	Trojan.Win64.Havoc
Jiangmin	Backdoor.C2.d
Webroot	W32.Trojan.Havokiz.Marte
Google	Detected
Avira	HEUR/AGEN.1368308
Varist	W64/ABRisk.BLBJ-4153
Antiy-AVL	Trojan/Win64.Havoc
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win64/Havokiz.DX!MTB
Gridinsoft	Trojan.Win64.Agent.sa
Arcabit	Generic.Trojan.Havokiz.Marte.D.06C457B0
ZoneAlarm	Backdoor.Win64.Havoc.box
GData	Generic.Trojan.Havokiz.Marte.D.06C457B0
Cynet	Malicious (score: 100)
McAfee	Agent-FYC!C5352FEA4E13
MAX	malware (ai score=82)
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002C0DLI23
Rising	Backdoor.Havoc!8.970A (TFE:4:Muj2LsPTQQM)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.221644012.susgen

UpdateCheck.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All