Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.23 03:09
66eef0ca0fb35_lfdsa.exe
09.23 02:09
easyfirewall.exe
09.23 02:09
Name.exe
09.23 11:09
wcxoplwq.exe
09.23 11:09
66f00f515201d_otr.exe#...
09.23 11:09
Journal.exe
09.23 11:09
PI No.1070034483.exe
09.23 11:09
66f011901da27_crypted....
09.23 11:09
66f063cce5470_crypted....
09.23 11:09
notebyx.exe

Latest News
09.24 01:09
Top 5 Reasons AI Leade...
09.24 01:09
San Francisco’s fight ...
09.24 01:09
Why threat intelligenc...
09.24 01:09
Vernetztes Fahren: USA...
09.24 01:09
Wasserstoff im Schwerl...
09.24 01:09
Trojaner befällt minde...
09.24 01:09
San Francisco’s fight ...
09.24 01:09
Telegram CEO Durov Say...
09.24 12:09
Sophos named a Leader ...
09.24 12:09
Revisiting 1990’s Mac ...

Summary | ZeroBOX

Update.exe

Generic Malware Malicious Library UPX Malicious Packer PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 8, 2024, 5:49 p.m.	Feb. 8, 2024, 5:51 p.m.

Size	2.9MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`db25dde66c6101eb5c357a1fecb34925`
SHA256	`59f21e4329cbd8850b396247ca86b79a465dc78d97e00deca22b8682a6f23532`
CRC32	`9D108EB5`
ssdeep	`49152:mY3ovEXrxYMJID2qHRTGEWEd7VMfh3lkKM/QbaclDEHyi:mY4vhKF3VOMDEHP`
Yara	Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Update.exe "C:\Users\test22\AppData\Local\Temp\Update.exe"
1836

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.144 A 182.162.106.33 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
anonhost.in	A 103.215.221.168	103.215.221.168

IP Address	Status	Action
103.215.221.168	Active	Moloch
164.124.101.2	Active	Moloch
182.162.106.144	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 103.215.221.168:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49162 103.215.221.168:443	C=US, O=Let's Encrypt, CN=R3	CN=anonhost.in	a5:70:e5:c8:db:89:e6:4e:96:15:9e:a2:9f:c7:84:87:21:3d:76:c5

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: thread ' console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: main console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: ' panicked at console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: src\main.rs console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: Failed to download the file: reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("anonhost.in")), port: None, path: "/vlog2/uploads/putty.bat", query: None, fragment: None }, source: hyper::Error(Connect, Os { code: -2146762495, kind: Uncategorized, message: "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." }) } console_handle: 0x000000000000000b	1	1	0
WriteConsoleW Feb. 8, 2024, 5:42 p.m.	buffer: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace console_handle: 0x000000000000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 8, 2024, 5:42 p.m.	flags: 15 family: 0		111	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob