Category | Machine | Started | Completed |
---|---|---|---|
ARCHIVE | s1_win7_x6403_us | June 7, 2024, 5:49 p.m. | June 7, 2024, 5:50 p.m. |
Archive csrs.exe @ sandbox.zip
Summary
Size | 6.2MB |
---|---|
Type | PE32 executable (console) Intel 80386, for MS Windows |
MD5 | ed43f6043f51fba6b2a8a4062256154d |
SHA1 | 4cf081fde15f702c434b588f0556d28227ae1f1a |
SHA256 | a62c67bb2c90d79ffc64d3862c73ea77255581d224a8736c470dc72a6716c6e3 |
SHA512 |
7e47c25992a88f4d34fb6ce2ce4469d6d8a5a07682eabc032391a837c15a6bb62d1a7cde219ba59efc134c5d5113e5196077608a3e2623f6a751c56a5b031489
|
CRC32 | 21CECB4F |
ssdeep | 98304:188SKeTpHfNgRVccndCe+AOSF2lFGzo0qoyYUOzn52bISsD9C775URDNJLN:+ieT7gVccdF+cFYG4gkESsDseBNxN |
Yara |
|
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
164.124.101.2 | Active | Moloch |
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
section | .gfids |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\python27.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Util._counter.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._DES3.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\_hashlib.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\cryptography.hazmat.bindings._constant_time.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcr90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\_socket.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\select.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Hash._MD4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\python27.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcm90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\msvcp90.dll |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\_ssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._DES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\_cffi_backend.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Random.OSRNG.winrandom.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\pyexpat.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Util.strxor.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\cryptography.hazmat.bindings._openssl.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._AES.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Hash._SHA256.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\Crypto.Cipher._ARC4.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\bz2.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\_ctypes.pyd |
file | C:\Users\test22\AppData\Local\Temp\_MEI20962\unicodedata.pyd |
section | {u'size_of_data': u'0x0000f000', u'virtual_address': u'0x0003d000', u'entropy': 7.286300316224105, u'name': u'.rsrc', u'virtual_size': u'0x0000efb0'} | entropy | 7.28630031622 | description | A section with a high entropy has been found | |||||||||
entropy | 0.251572327044 | description | Overall entropy of this PE file is high |
url | http://crl.comodo.net/TrustedCertificateServices.crl0 |
url | http://google.com/ |
url | http://www.e-szigno.hu/RootCA.crt0 |
url | http://crl.ssc.lt/root-b/cacrl.crl0 |
url | http://www.acabogacia.org/doc0 |
url | http://username |
url | https://urllib3.readthedocs.io/en/latest/advanced-usage.html |
url | https://github.com/shazow/urllib3/issues/497 |
url | http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0= |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
url | http://www.ssc.lt/cps03 |
url | http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0 |
url | http://users.ocsp.d-trust.net03 |
url | http://curl.haxx.se/rfc/cookie_spec.html |
url | http://proxy.example.com/ |
url | http://www.nightmare.com/squirl/python-ext/misc/syslog.py |
url | http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0 |
url | http://json.org |
url | http://lists.sourceforge.net/lists/listinfo/optik-users). |
url | http://www.microsoft.com/pki/certs/TrustListPCA.crt0 |
url | https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0 |
url | http://www.pkioverheid.nl/policies/root-policy0 |
url | http://google.com/mail/ |
url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
url | http://joe |
url | http://crl.chambersign.org/publicnotaryroot.crl0 |
url | http://crl.comodo.net/AAACertificateServices.crl0 |
url | http://www.certplus.com/CRL/class3.crl0 |
url | http://www.faqs.org/rfcs/rfc822.html |
url | http://logo.verisign.com/vslogo.gif0 |
url | http://www.sk.ee/cps/0 |
url | https://cryptography.io/en/latest/hazmat/ |
url | http://www.crc.bg0 |
url | http://www.python.org/dev/peps/pep-0205/ |
url | http://www.e-szigno.hu/SZSZ/0 |
url | https://www.catcert.net/verarrel |
url | https://technotes.googlecode.com/git/nextprotoneg.html |
url | http://python.org/dev/peps/pep-0263/ |
url | http://www.quovadis.bm0 |
url | http://crl.securetrust.com/STCA.crl0 |
url | https://www.catcert.net/verarrel05 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0 |
url | http://crl.securetrust.com/SGCA.crl0 |
url | http://crl.chambersign.org/chambersroot.crl0 |
url | https://httpbin.org/ |
url | http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py |
url | http://crl.globalsign.net/root-r2.crl0 |
url | http://certificates.starfieldtech.com/repository/1604 |
url | http://www.d-trust.net0 |
url | https://en.wikipedia.org/wiki/Server_Name_Indication |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl |
url | http://185.47.128.124:8124/m17010.txt |
url | http://139.5.177.32:9999 |