Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 4, 2024, 9:37 a.m.	July 4, 2024, 9:39 a.m.

Size	564.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`da4b6f39fc024d2383d4bfe7f67f1ee1`
SHA256	`544697a024abaea1b24eaa3d89869b2c8a4c1acf96d4e152f5632d338d054c9e`
CRC32	`5F8A0EE5`
ssdeep	`12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2`
PDB Path	C:\Users\ÑÐ´Ð°ÑÐ°\Desktop\projects\Release\BigProject.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

systemd.exe "C:\Users\test22\AppData\Local\Temp\systemd.exe"
2052

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	43.202.69.9

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.192.141.1:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.103:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Users\ÑÐ´Ð°ÑÐ°\Desktop\projects\Release\BigProject.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 4, 2024, 9:37 a.m.	stacktrace: RtlGetActiveActivationContext+0x148 LdrEnumerateLoadedModules-0x53 ntdll+0x3becc @ 0x778dbecc LdrLoadDll+0x11e _strcmpi-0x261 ntdll+0x3c558 @ 0x778dc558 RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x778dc389 LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x778dc4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x746ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x755a1d2a LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x755a1d7a LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x757f4a08 systemd+0x13085 @ 0x1333085 systemd+0x4ee17 @ 0x136ee17 systemd+0x5fd5b @ 0x137fd5b BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 03 42 3c 89 45 f0 c7 45 d4 01 00 00 00 eb 09 8b exception.symbol: systemd+0x16ca3 exception.instruction: add eax, dword ptr [edx + 0x3c] exception.module: systemd.exe exception.exception_code: 0xc0000005 exception.offset: 93347 exception.address: 0x1336ca3 registers.esp: 3560880 registers.edi: 3564904 registers.eax: 0 registers.ebp: 3564604 registers.edx: 0 registers.ebx: 0 registers.esi: 2130563072 registers.ecx: 15	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 4, 2024, 9:37 a.m.

stacktrace:

RtlGetActiveActivationContext+0x148 LdrEnumerateLoadedModules-0x53 ntdll+0x3becc @ 0x778dbecc
LdrLoadDll+0x11e _strcmpi-0x261 ntdll+0x3c558 @ 0x778dc558
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x778dc389
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x778dc4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x746ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x755a1d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x755a1d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x757f4a08
systemd+0x13085 @ 0x1333085
systemd+0x4ee17 @ 0x136ee17
systemd+0x5fd5b @ 0x137fd5b
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 03 42 3c 89 45 f0 c7 45 d4 01 00 00 00 eb 09 8b
exception.symbol: systemd+0x16ca3
exception.instruction: add eax, dword ptr [edx + 0x3c]
exception.module: systemd.exe
exception.exception_code: 0xc0000005
exception.offset: 93347
exception.address: 0x1336ca3
registers.esp: 3560880
registers.edi: 3564904
registers.eax: 0
registers.ebp: 3564604
registers.edx: 0
registers.ebx: 0
registers.esi: 2130563072
registers.ecx: 15

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 4, 2024, 9:37 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013ab000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 4, 2024, 9:37 a.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778bf000 process_handle: 0xffffffff	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.hh
ALYac	Gen:Variant.Babar.513642
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.73342716
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!DA4B6F39FC02
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.73342716
Rising	Trojan.Diztakun!8.FE (CLOUD)
Emsisoft	Trojan.GenericKD.73342716 (B)
F-Secure	Trojan.TR/AVI.PovertyStealer.byoon
DrWeb	Trojan.PWS.Poverty.4
McAfeeD	ti!544697A024AB
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.da4b6f39fc024d23
Sophos	Generic Reputation PUA (PUA)
Ikarus	Trojan-Spy.PovertyStealer
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AVI.PovertyStealer.byoon
MAX	malware (ai score=85)
Kingsoft	Win32.Trojan.GenericML.xnet
Gridinsoft	Trojan.Win32.Gen.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.Agent.0HRBN5
BitDefenderTheta	Gen:NN.ZexaF.36808.JqW@aCGlmgf
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09G224
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)

systemd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All