Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 04:09
2.exe
09.21 02:09
random.exe
09.21 02:09
sdhsfd.exe
09.21 02:09
66edb89bc4073_crypted....
09.21 02:09
66ed33772bbe7_vdfhsjf1...
09.21 02:09
game.exe
09.21 02:09
66ebb3bf78bd6_Send.exe...
09.21 02:09
66ed33717e4c1_vfdshfda...
09.21 02:09
random.exe
09.21 02:09
66ed336eac985_vdfhssfd...

Latest News
09.22 08:09
Biden Administration t...
09.22 08:09
IT Sicherheitsnews tae...
09.22 07:09
September 22, 2024
09.22 06:09
Cards Against Humanity...
09.22 05:09
Linux, Now In Real Time
09.22 04:09
Was können Roboter wir...
09.22 04:09
Schluss mit Basis-Auth...
09.22 04:09
Deutsches Jugendherber...
09.22 02:09
Learn How to Dissect B...
09.22 02:09
Jumperless Breadboard ...

Summary | ZeroBOX

msbuild.exe

Generic Malware Malicious Library UPX GIF Format Lnk Format PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 11, 2024, 1:20 p.m.	July 11, 2024, 1:26 p.m.

Size	3.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`77b8c18bece02b6cfa33f68c743b3c3c`
SHA256	`e19de62c82f499f2f3748136c337222c2f67effba91e6252fdc9ece2f20595d9`
CRC32	`D3C3D2BB`
ssdeep	`49152:T13hnx0+HdYgtb20mCnChhO+TA/5oGSWxHP+RJcGZ12yP32aVb5S:pG2n1Si+RJcGy82aVE`
PDB Path	F:\asdasd\x64\Output\Release\teger.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

msbuild.exe "C:\Users\test22\AppData\Local\Temp\msbuild.exe"
1072
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
sexapp.cc	A 43.135.32.151	43.135.32.151

IP Address	Status	Action
164.124.101.2	Active	Moloch
43.135.32.151	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 11, 2024, 1:13 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 11, 2024, 1:13 p.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

F:\asdasd\x64\Output\Release\teger.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 11, 2024, 1:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

sexapp.cc

description

Cocos Islands domain TLD

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 11, 2024, 1:13 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sexaps.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sexaps.lnk

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sexaps.lnk

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W64.AIDetectMalware
ESET-NOD32	a variant of Win64/Agent.VV
Rising	Trojan.Agent!8.B1E (CLOUD)
McAfeeD	ti!E19DE62C82F4
Ikarus	Trojan.Win64.Agent
DeepInstinct	MALICIOUS
Tencent	Win64.Trojan.Agent.Nsmw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.MU
Paloalto	generic.ml

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (20 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	43.135.32.151:3965
dead_host	192.168.56.103:49181
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49164
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166