Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
random.exe
09.21 02:09
sdhsfd.exe
09.21 02:09
66edb89bc4073_crypted....
09.21 02:09
66ed33772bbe7_vdfhsjf1...
09.21 02:09
game.exe
09.21 02:09
66ebb3bf78bd6_Send.exe...
09.21 02:09
66ed33717e4c1_vfdshfda...
09.21 02:09
random.exe
09.21 02:09
66ed336eac985_vdfhssfd...
09.21 02:09
66ed7ef071886_crypted....

Latest News
09.21 05:09
There’s No Lower Spec ...
09.21 05:09
[PASCON 2024-영상] 박재민 엔...
09.21 04:09
[PASCON 2024-영상] SK쉴더스...
09.21 04:09
[PASCON 2024-영상] 윤영 익스...
09.21 03:09
[PASCON 2024] 옥타코 이재형 ...
09.21 03:09
[PASCON 2024] S2W 김재기 ...
09.21 02:09
[PASCON 2024-영상] 탈레스 “...
09.21 02:09
Get Your Lisp On With ...
09.21 02:09
Zombie Construction Si...
09.21 01:09
[PASCON 2024-영상] 스패로우 ...

Summary | ZeroBOX

PwHnaA.exe

Generic Malware .NET framework(MSIL) Malicious Library UPX Malicious Packer Anti_VM PE File OS Processor Check JPEG Format PE32 .NET EXE

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 1, 2024, 8:44 a.m.	Aug. 1, 2024, 8:46 a.m.

Size	175.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`19f436930646f3e8f283fa71f2a4cbcb`
SHA256	`40e64ea2d9253f93606f6f62966f05e2bb300e03e82ecd54c5dcba5640df0dff`
CRC32	`7BD01CF8`
ssdeep	`3072:+e8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTDwARE+WpCc:W6ewwIwQJ6vKX0c5MlYZ0b2E`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
2644
- chcp.com chcp 65001
  2664
- netsh.exe netsh wlan show profile
  544
- findstr.exe findstr All
  1596
cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
2708
- chcp.com chcp 65001
  2164
- netsh.exe netsh wlan show networks mode=bssid
  2748

Name	Response	Post-Analysis Lookup
icanhazip.com	A 104.16.184.241 A 104.16.185.241	104.16.184.241
api.mylnikov.org	A 172.67.196.114 A 104.21.44.66	104.21.44.66
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
104.16.184.241	Active	Moloch
104.21.44.66	Active	Moloch
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.220:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49178 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2054169	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49176 -> 104.16.184.241:80	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
TCP 149.154.167.220:443 -> 192.168.56.101:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 104.21.44.66:443	2033010	ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49177 -> 104.21.44.66:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49179 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49178 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.101:49179 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49177 104.21.44.66:443	C=US, O=Google Trust Services, CN=WE1	CN=mylnikov.org	02:37:7c:02:dd:73:81:8e:66:ea:4a:15:58:23:d8:bd:6d:a6:d0:39

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://icanhazip.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00

Performs some HTTP requests (2 events)

request	GET http://icanhazip.com/
request	GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0a:00:27:00:00:00

Looks up the external IP address (1 event)

domain

icanhazip.com

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	chcp 65001
cmdline	netsh wlan show networks mode=bssid
cmdline	netsh wlan show profile