Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 14, 2024, 9:39 a.m.	June 14, 2024, 9:43 a.m.

Size	424.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e52c00bdc49c2e842a573532762c5f0b`
SHA256	`20a035c052c1dcb7c792692308e4c35a4f8bc9f742760bffcf5c0345e75ebed6`
CRC32	`3D5175C6`
ssdeep	`12288:OCHhcdA/7UxQuSl8KTKK4KKDyK5FZ1EEEEmEEE1EEEEEEEEEEElKK1KKK1KKK:Owhb/7UxQpGKTKK4KKDyK5FZ1EEEEmEI`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware

setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe "C:\Users\test22\AppData\Local\Temp\setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe"
496

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
8.134.180.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 8.134.180.138:80	2003635	ET MALWARE Suspicious User Agent Detected (RookIE) - Common with Downloaders	A Network Trojan was detected

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2024, 9:39 a.m.	stacktrace: 0x24c0004 setup%e4%b8%8b%e8%bd%bd%e5%90%8d%e5%8d%95%e7%9b%ae%e5%bd%956001+0x166b @ 0x13f5e166b setup%e4%b8%8b%e8%bd%bd%e5%90%8d%e5%8d%95%e7%9b%ae%e5%bd%956001+0x57ec @ 0x13f5e57ec BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 exception.instruction: insb byte ptr [rdi], dx exception.exception_code: 0xc0000096 exception.symbol: exception.address: 0x24c0004 registers.r14: 0 registers.r15: 0 registers.rcx: 1099511627775 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 2554704 registers.r11: 0 registers.r8: 347892285440 registers.r9: 347908538369 registers.rdx: 3444960 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1 registers.r13: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://8.134.180.138/123.conf

Performs some HTTP requests (1 event)

request

GET http://8.134.180.138/123.conf

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 14, 2024, 9:39 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Foreign language identified in PE resource (10 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0cc

size

0x00000988

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fa54

size

0x00000076

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006facc

size

0x00000570

Communicates with host for which no DNS query was performed (1 event)

host

8.134.180.138

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Doina.74560
Cylance	Unsafe
VIPRE	Gen:Variant.Doina.74560
Sangfor	Trojan.Win32.SilverFoxPrompt.swkaa
K7AntiVirus	Trojan-Downloader ( 005607fa1 )
BitDefender	Gen:Variant.Doina.74560
K7GW	Trojan-Downloader ( 005607fa1 )
Arcabit	Trojan.Doina.D12340
VirIT	Trojan.Win64.Genus.GRJ
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.EJ
APEX	Malicious
Avast	Win64:DropperX-gen [Drp]
Kaspersky	Trojan-Downloader.Win32.Agent.xycslo
Alibaba	TrojanDownloader:Win64/DropperX.c05607a1
MicroWorld-eScan	Gen:Variant.Doina.74560
Rising	Downloader.Agent!8.B23 (TFE:5:u1ZK0LTan7U)
Emsisoft	Gen:Variant.Doina.74560 (B)
F-Secure	Trojan.TR/Dldr.Agent.ihhav
Zillya	Downloader.Agent.Win64.6323
TrendMicro	TROJ_GEN.R053C0XEC24
McAfeeD	ti!20A035C052C1
FireEye	Gen:Variant.Doina.74560
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win64.Agent
Google	Detected
Avira	TR/Dldr.Agent.ihhav
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Wacatac
Microsoft	Trojan:Win32/Znyonm
ViRobot	Trojan.Win.Z.Agent.434688.F
ZoneAlarm	Trojan-Downloader.Win32.Agent.xycslo
GData	Gen:Variant.Doina.74560
Varist	W64/ABDownloader.OMOR-4271
AhnLab-V3	Trojan/Win.Generic.C5619520
DeepInstinct	MALICIOUS
VBA32	TrojanDownloader.Agent
Malwarebytes	Trojan.ShellCode
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R053C0XEC24
Tencent	Malware.Win32.Gencirc.11c0072e
MaxSecure	Trojan.Malware.248600720.susgen
Fortinet	W64/Agent.EJ!tr.dldr
AVG	Win64:DropperX-gen [Drp]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	Trojan[downloader]:Win/Agent.EG

setup%E4%B8%8B%E8%BD%BD%E5%90%8D%E5%8D%95%E7%9B%AE%E5%BD%956001.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All