popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

215.exe

Emotet Generic Malware Malicious Library UPX Malicious Packer ftp PNG Format PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 23, 2024, 7:35 a.m. July 23, 2024, 7:37 a.m.
Size 16.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5824dfdc189116156a9619a5af980de4
SHA256 35a4178a89270867a969750a3e20b143491472bb06bbfef975fa62bb37d72fe8
CRC32 AF525B76
ssdeep 196608:xDsXFti0lFlBySXz1mpq4RsPe6JHZ1ggWchgtwmfaq6TlbC4OC8oKGRwgoa5V:4ttlByaDim9PphjwgoMV
PDB Path F:\PROJ\CodeLogic\Release\PilotEdit.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • ftp_command - ftp command
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
pastebin.com
A 104.20.4.235
A 172.67.19.24
A 104.20.3.235
104.20.3.235
IP Address Status Action
104.20.3.235 Active Moloch
164.124.101.2 Active Moloch
45.141.87.16 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 104.20.3.235:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49164
104.20.3.235:443 		C=US, O=Google Trust Services, CN=WE1 CN=pastebin.com 82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
pdb_path F:\PROJ\CodeLogic\Release\PilotEdit.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name NYA
resource name PNG
resource name STYLE
resource name TEXTFILE
resource name None
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/kPvvMYDF
request GET https://pastebin.com/raw/kPvvMYDF
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00848000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ab1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2656
thread_handle: 0x0000001c
process_identifier: 2652
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\acAgent_debug\javaw.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000016c
1 1 0
section {u'size_of_data': u'0x009e5200', u'virtual_address': u'0x0123f000', u'entropy': 7.511112960067073, u'name': u'.rsrc', u'virtual_size': u'0x009e50ce'} entropy 7.51111296007 description A section with a high entropy has been found
entropy 0.607846666067 description Overall entropy of this PE file is high
host 45.141.87.16
dead_host 45.141.87.16:15647