Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 4, 2024, 4:40 p.m.	Feb. 4, 2024, 5:02 p.m.

Size	234.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9421bb65a9d5ace737e8ebbb04986873`
SHA256	`8d2a28f4d0d93aaf2e4dedf67b40ba16a68026a27e8b70ab1e82bf244d533682`
CRC32	`238C3F6C`
ssdeep	`6144:xowKY/ICXEroFNbmQMbcBt2+ieJBEuwAOCcOwc:xowKY/zXYoFNbmQMb0kuwkcJc`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

univ.exe "C:\Users\test22\AppData\Local\Temp\univ.exe"
508

Name	Response	Post-Analysis Lookup
download.visualstudio.microsoft.com	CNAME cs10.wpc.v0cdn.net CNAME visualstudio.download.prss.trafficmanager.net CNAME 4316b.wpc.azureedge.net A 192.229.232.200	192.229.232.200

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.229.232.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.229.232.200:80 -> 192.168.56.103:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.229.232.200:80 -> 192.168.56.103:49161	2014520	ET INFO EXE - Served Attached HTTP	Misc activity

Suricata TLS

No Suricata TLS

Performs some HTTP requests (1 event)

request

GET http://download.visualstudio.microsoft.com/download/pr/d6835aa3-6ec4-47ec-a5a5-9052ed310e4f/c1171996e95717bf532475f4546e479c/windowsdesktop-runtime-6.0.26-win-x86.exe

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\rAQBc8\windowsdesktop-runtime-6.0.26-win-x86.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\rAQBc8\windowsdesktop-runtime-6.0.26-win-x86.exe

An executable file was downloaded by the process univ.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Feb. 4, 2024, 4:40 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ïÀ[«s®«s®«s®Î ¡s®Î« $s®ùª ¸s®ù ¸s®ù« s®Îª ¾s®Î¨ ©s®Î¯ ºs®«s¯år®« às®Qªs®«s9©s®¬ ªs®Rich«s®PELRKaà \|à°@`Ût@<´à<;x`) ¼={TÔ{Àz@°Ð¼.textÃ `.rdatatò°ô @@.data°@À.wixburn8Ð @@.rsrc<;à<¢@@.reloc¼= >Þ@B request_handle: 0x00cc000c	1	1	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Win32.GCleaner.a!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Downloader.dh
McAfee	Artemis!9421BB65A9D5
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.b3a272
VirIT	Trojan.Win32.Genus.UYX
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
MicroWorld-eScan	Gen:Variant.Doina.60921
F-Secure	Heuristic.HEUR/AGEN.1317762
BitDefenderTheta	AI:Packer.967777D41F
Sophos	Mal/Generic-S (PUA)
Ikarus	Trojan-Downloader.Win32.Agent
Avira	HEUR/AGEN.1317762
Kingsoft	Win32.Troj.Undef.a
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:Win32/ICLoader.JL!MTB
ZoneAlarm	UDS:Trojan-Downloader.Win32.GCleaner.gen
Varist	W32/Agent.EPA.gen!Eldorado
AhnLab-V3	Trojan/Win.ICLoader.C5577650
VBA32	BScope.TrojanPSW.Tepfer
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Tencent	Win32.Trojan-Downloader.Oader.Wdkl
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Agent.ELB!tr.dldr
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (D)

univ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All