Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 11, 2024, 1:21 p.m.	July 11, 2024, 1:57 p.m.

Size	6.3MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`5caebe57cf130a313c8dfcacac415028`
SHA256	`d5060458cbc5d08cb5fab7917169d2a0f9b974cd62261eee213c7a5d399bdd20`
CRC32	`CF7BAEFF`
ssdeep	`49152:I8MlY/PjEfY0ZBQA/3y/iRa8HXrdat0luPa6PfuAlUJE1wYvH8q0urQvPD0YG1GQ:VB/PjEfTZBJWi0kdaFi6P2AYuMHxnM`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

version.exe "C:\Users\test22\AppData\Local\Temp\version.exe"
2064
- meNversion.exe C:\Users\test22\AppData\Local\Temp\meNversion.exe
  2144
  - version.exe C:\Users\test22\AppData\Local\Temp\version.exe
    2244

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
184.72.121.183	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\meNversion.exe
file	C:\Users\test22\AppData\Local\Temp\version.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 11, 2024, 1:13 p.m.	flags: 16 family: 0	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

184.72.121.183

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\meNversion.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\version.exe

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 6595584, u'yara': [{u'strings': [u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o77': [[3765809L, 0], [3770159L, 0], [4342916L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'bnRkbGwuZGw='], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o104': [[206287L, 0], [3750639L, 0], [3769075L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE64', u'offsets': {}}, {u'strings': [u'Vk13YXJl', u'WGVuVk1N'], u'meta': {u'description': u'Possibly employs anti-virtualization techniques', u'author': u'nex'}, u'name': u'anti_vm_detect', u'offsets': {u'xen6': [[3755404L, 1], [3755410L, 1]], u'vmware24': [[3755332L, 0], [3755338L, 0]]}}, {u'strings': [u'OWFiY2RlZg==', u'Qm94KS5n', u'Y2Vzc29y', u'ZGVidWdDYWw=', u'ZmZnZnB1dA==', u'cG93cnByb2Y='], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's8': [[4293362L, 1]], u's1': [[207544L, 5]], u's6': [[3790130L, 4]], u's15': [[394191L, 3], [394517L, 3], [394622L, 3], [394807L, 3], [394889L, 3], [3757515L, 3], [4289894L, 3], [4289917L, 3], [4289939L, 3], [4289962L, 3], [4313775L, 3], [4313804L, 3], [4313832L, 3], [4313860L, 3], [4313889L, 3], [4318049L, 3], [4318061L, 3], [4318073L, 3], [4318086L, 3], [4318099L, 3], [4318112L, 3], [4318126L, 3], [4318140L, 3], [4318154L, 3], [4318168L, 3], [4318183L, 3], [4318198L, 3], [4319357L, 3], [4319377L, 3]], u's55': [[3251422L, 2], [3252303L, 2], [3262886L, 2], [3268451L, 2], [3270974L, 2], [3808966L, 2]], u's192': [[3761525L, 0], [3763563L, 0], [3803010L, 0], [3827777L, 0]]}}, {u'strings': [u'L1wgWyJcK1kiWidXKFgnVQ=='], u'meta': {u'date': u'2021-03-16', u'description': u'Generic Malware', u'author': u'r0d'}, u'name': u'Generic_Malware_Zero', u'offsets': {u'o143': [[4710211L, 0]]}}], u'sha1': u'd342bd1a31517e5a41e4f0b62c1961f63a82e6f2', u'name': u'0e075a9419334fea_version.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\version.exe', u'sha512': u'20be4512e31360d3de90f1afdc55f5a6aac0730b43275aac438578c76f2688c4dc26ab3a972cfa5311ec0180ff8b1e95e066b407ea4f729780d0504609d959d6', u'urls': [u'https://www.google.com/', u'https://www.google.comidna', u'https://if-matchif-rangeinfinityinit', u'https://www.google.com', u'http://invalidlookup'], u'crc32': u'052268C8', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/51650/files/0e075a9419334fea_version.exe', u'ssdeep': u'49152:I8MlY/PjEfY0ZBQA/3y/iRa8HXrdat0luPa6PfuAlUJE1w7vH8q0urQvPD0YG1GQ:VB/PjEfTZBJWi0kdaFi6P2AZuMHxnM', u'sha256': u'0e075a9419334fea57f5890628f45256112f8dd363f4412c2627c7360619072f', u'type': u'PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows', u'pids': [2144], u'md5': u'1d54f64e7f45b8d4493a5f7934346d5a', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}

Detects the presence of Wine emulator (3 events)

Time & API	Arguments	Return
LdrGetProcedureAddress July 11, 2024, 1:13 p.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000	-1073741511
LdrGetProcedureAddress July 11, 2024, 1:13 p.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000	-1073741511
LdrGetProcedureAddress July 11, 2024, 1:13 p.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000	-1073741511

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Skyhigh	BehavesLike.Win64.Sliver.vh
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V8ia
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan.Win32.Agent.xbrrky
Alibaba	TrojanPSW:Win64/Genric.33cf8661
McAfeeD	ti!D5060458CBC5
Ikarus	Trojan-PSW.Agent
Google	Detected
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	Trojan.Win32.Agent.xbrrky
DeepInstinct	MALICIOUS
SentinelOne	Static AI - Malicious PE
Fortinet	W32/PossibleThreat
AVG	Win64:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

184.72.121.183:443

version.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All