Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 17, 2024, 1:24 p.m.	June 17, 2024, 1:26 p.m.

Size	60.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fc58e29974c49a329c30188f5a468e08`
SHA256	`064497427357409fcd63a0a582091f40a7cde46e993a3a58c0ae316f01480c5d`
CRC32	`2C8E231B`
ssdeep	`768:3e1iZNbQAKrWGOkGQeN70ZqL37TKBBmbUt4i:36iZNer5GQvk7ath`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

dhl.exe "C:\Users\test22\AppData\Local\Temp\dhl.exe"
2552
- svchostss.exe "C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe"
  2684

Name	Response	Post-Analysis Lookup
star.sp168.tv	A 156.241.4.189	156.241.4.189

IP Address	Status	Action
156.241.4.189	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 156.241.4.189:7744 -> 192.168.56.101:49161	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 17, 2024, 1:24 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2024, 1:24 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2024, 1:24 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2024, 1:24 p.m.	process_identifier: 2684 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\8.77.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 17, 2024, 1:24 p.m.	service_start_name: start_type: 2 password: display_name: Qaitcj uuqlvgmfpfjqzpzuye filepath: C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe service_name: Wsnoxe zzvqawcl filepath_r: C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe desired_access: 983551 service_handle: 0x00285280 error_control: 0 service_type: 272 service_manager_handle: 0x00285320	1	2642560	0

Creates a suspicious process (2 events)

cmdline	C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe
cmdline	"C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe"

Installs itself for autorun at Windows startup (1 event)

service_name

Wsnoxe zzvqawcl

service_path

C:\Program Files (x86)\Microsoft Bltenu\svchostss.exe

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Tiny.a!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Redosdru.18846
Skyhigh	Trojan-FKFK!FC58E29974C4
ALYac	Trojan.Downloader.JSWJ
Cylance	Unsafe
VIPRE	Trojan.Downloader.JSWJ
Sangfor	Downloader.Win32.Agent.Vbbb
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
BitDefender	Trojan.Downloader.JSWJ
K7GW	Trojan-Downloader ( 0055e3da1 )
Cybereason	malicious.974c49
Arcabit	Trojan.Downloader.JSWJ
Baidu	Win32.Trojan-Downloader.Agent.cw
VirIT	Trojan.Win32.Generic.EQQ
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.AVU
APEX	Malicious
McAfee	Trojan-FKFK!FC58E29974C4
Avast	Win32:Dropper-OHP [Trj]
ClamAV	Win.Downloader.Farfli-6453698-0
Kaspersky	Trojan-Downloader.Win32.Tiny.cun
Alibaba	Backdoor:Win32/Zlob.180910
NANO-Antivirus	Trojan.Win32.Agent.dqsnyd
MicroWorld-eScan	Trojan.Downloader.JSWJ
Emsisoft	Trojan.Downloader.JSWJ (B)
F-Secure	Trojan.TR/Downloader.Gen4
DrWeb	BackDoor.Siggen.58849
Zillya	Downloader.Tiny.Win32.4461
TrendMicro	BKDR_ZEGOST.SM17
McAfeeD	ti!064497427357
FireEye	Generic.mg.fc58e29974c49a32
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Jiangmin	TrojanDropper.Dorgam.kg
Google	Detected
Avira	TR/Downloader.Gen4
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Backdoor]/Win32.BigBadWolf.a
Kingsoft	malware.kb.a.1000
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	TrojWare.Win32.Farfli.BJQ@5t8o8c
Microsoft	Trojan:Win32/Redosdru.AB
ViRobot	Trojan.Win.Z.Downloader.61506.C
ZoneAlarm	Trojan-Downloader.Win32.Tiny.cun
GData	Trojan.Downloader.JSWJ
Varist	W32/Trojan.JNNA-3426
AhnLab-V3	Trojan/Win32.Downloader.R148588

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.101:49168
dead_host	156.241.4.189:10091
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49164

dhl.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All