Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 31, 2024, 7:29 a.m.	May 31, 2024, 7:35 a.m.

Size	176.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b7fcd8d0429e1001ac2b10de60a2d42e`
SHA256	`0e432916a8dabba9ee190f7cc5260c619d8b35ae84048c165f86a79d5bc9f4a2`
CRC32	`742ABABD`
ssdeep	`3072:5N7iMf3nwVQywGvFt3II7A1lJJyjGbhCI6kiNqzuY+8OqtOAg0Fuj0BrQKZaD:5N7iMfXwVQibIa6bTCIbiNnpAORKZaD`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

inte.exe "C:\Users\test22\AppData\Local\Temp\inte.exe"
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
  2848
  - taskkill.exe taskkill /im "inte.exe" /f
    2912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.172.128.69	Active	Moloch
185.172.128.90	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 31, 2024, 7:29 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 31, 2024, 7:29 a.m.	buffer: ERROR: The process "inte.exe" not found. console_handle: 0x0000000b	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://185.172.128.90/cpa/ping.php?substr=one&s=two
suspicious_features	Connection to IP address				suspicious_request	GET http://185.172.128.69/advdlc.php

Performs some HTTP requests (2 events)

request	GET http://185.172.128.90/cpa/ping.php?substr=one&s=two
request	GET http://185.172.128.69/advdlc.php

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\inte.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "inte.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Windows\System32\cmd.exe parameters: /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 31, 2024, 7:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	taskkill /im "inte.exe" /f
cmdline	C:\Windows\System32\cmd.exe /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit
cmdline	"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\test22\AppData\Local\Temp\inte.exe" & exit

Communicates with host for which no DNS query was performed (2 events)

host	185.172.128.69
host	185.172.128.90

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\inte.exe

Network activity contains more than one unique useragent (2 events)

process	inte.exe				useragent	1
process	inte.exe				useragent	B

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Tepfer.i!c
Elastic	Windows.Generic.Threat
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojanpws.Tepfer
Skyhigh	BehavesLike.Win32.Downloader.ch
ALYac	Gen:Variant.Zusy.534250
Malwarebytes	Trojan.Downloader
VIPRE	Gen:Variant.Zusy.534250
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005480a41 )
BitDefender	Gen:Variant.Zusy.534250
K7GW	Trojan-Downloader ( 005480a41 )
Cybereason	malicious.0429e1
Arcabit	Trojan.Zusy.D826EA
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.ELB
APEX	Malicious
McAfee	Artemis!B7FCD8D0429E
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-PSW.Win32.Tepfer.gen
Alibaba	TrojanPSW:Win32/Tepfer.a49e3c81
MicroWorld-eScan	Gen:Variant.Zusy.534250
Rising	Downloader.Agent!1.F3FA (CLASSIC)
Emsisoft	Gen:Variant.Zusy.534250 (B)
F-Secure	Trojan.TR/Dldr.Agent.udues
DrWeb	Trojan.DownLoader46.65201
Zillya	Downloader.Agent.Win32.565789
TrendMicro	TROJ_GEN.R002C0DES24
McAfeeD	Real Protect-LS!B7FCD8D0429E
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.b7fcd8d0429e1001
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Webroot	W32.Trojan.Agent.Gen
Google	Detected
Avira	TR/Dldr.Agent.udues
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Tepfer
Kingsoft	malware.kb.a.835
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:Win32/Tepfer.NT!MTB
ViRobot	Trojan.Win.Z.Tepfer.180224.P
ZoneAlarm	HEUR:Trojan-PSW.Win32.Tepfer.gen
GData	Gen:Variant.Zusy.534250
Varist	W32/Agent.EPA.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5574203
BitDefenderTheta	AI:Packer.04F0253F1F
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanPSW.Tepfer

inte.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All