Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2024, 7:46 a.m.	March 29, 2024, 7:59 a.m.

Size	11.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3cb61ce448a806e79ce88d06e992cc9d`
SHA256	`c2dcdab49f620d41cdff93c58a50c760906ea2565001145564a1491defec08f4`
CRC32	`EBE10013`
ssdeep	`192:d6eQ8BFOXpVfXfGhegWJJfxMLkWScZqYSi/HB6U:d6eQ8nAnOgDTxMQWSc9/6U`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) UPX_Zero - UPX packed file

spl.exe "C:\Users\test22\AppData\Local\Temp\spl.exe"
2640
- winsvc.exe C:\Users\test22\winsvc.exe
  2776

Name	Response	Post-Analysis Lookup
twizt.net	A 185.215.113.66	185.215.113.66

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.66	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.66:80 -> 192.168.56.101:49161	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack

Suricata TLS

No Suricata TLS

Performs some HTTP requests (2 events)

request	GET http://twizt.net/Installed
request	GET http://twizt.net/lslut.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile March 29, 2024, 7:46 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\AppData\Local\Temp\525352353.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\525352353.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service

reg_value

C:\Users\test22\winsvc.exe

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\winsvc.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\spl.exe:Zone.Identifier

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Phorpiex.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Dropper.lm
ALYac	Dropped:Generic.Malware.S!dld!.A6C11446
Cylance	unsafe
VIPRE	Dropped:Generic.Malware.S!dld!.A6C11446
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005b18091 )
BitDefender	Dropped:Generic.Malware.S!dld!.A6C11446
K7GW	Trojan ( 005b18091 )
Cybereason	malicious.448a80
Arcabit	Generic.Malware.S!dld!.A6C11446
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.BB
APEX	Malicious
McAfee	Artemis!3CB61CE448A8
Avast	Win32:WormX-gen [Wrm]
Kaspersky	HEUR:Trojan.Win32.Zonidel.gen
Alibaba	Worm:Win32/Phorpiex.435c94f7
MicroWorld-eScan	Dropped:Generic.Malware.S!dld!.A6C11446
Rising	Worm.Phorpiex!1.DF9C (CLASSIC)
Emsisoft	Dropped:Generic.Malware.S!dld!.A6C11446 (B)
F-Secure	Worm.WORM/Phorpiex.akxqn
TrendMicro	Mal_DLDER
FireEye	Generic.mg.3cb61ce448a806e7
Sophos	Mal/Generic-S
Ikarus	Worm.Win32.Phorpiex
Google	Detected
Avira	WORM/Phorpiex.akxqn
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Phorpiex
Kingsoft	Win32.HeurC.KVMH017.a
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Tiny
ZoneAlarm	HEUR:Trojan.Win32.Zonidel.gen
GData	Win32.Trojan.Phorpiex.D
Varist	W32/S-c70f2e64!Eldorado
AhnLab-V3	Trojan/Win.Dlder.R637818
BitDefenderTheta	Gen:NN.ZexaF.36802.auW@ai@3D6li
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDownloader.Agent
Malwarebytes	Trojan.Phorpiex
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Mal_DLDER
Tencent	Win32.Trojan.Malware.Wylw
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Phorpiex.BB!worm
AVG	Win32:WormX-gen [Wrm]
CrowdStrike	win/malicious_confidence_100% (W)

spl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All