Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 10:40 a.m.	Aug. 5, 2024, 10:53 a.m.

Size	11.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5381689d4c9a0ce9d0f67dd8485188d2`
SHA256	`3860e4bc7a35d52b4193b256bd76e62d98e9d05e504e4871a56585ea56295228`
CRC32	`E0576D48`
ssdeep	`192:3p94aeZmoVfBLMhegdZJJfxMLkWScZqYSi/HX:3p94iQYgOZTxMQWSc9`
Yara	Network_Downloader - File Downloader Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

v.exe "C:\Users\test22\AppData\Local\Temp\v.exe"
1648
- winsvc.exe C:\Users\test22\winsvc.exe
  2120

Name	Response	Post-Analysis Lookup
twizt.net	A 185.215.113.66	185.215.113.66

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.66	Active	Moloch

Flow	SID	Signature	Category
TCP 185.215.113.66:80 -> 192.168.56.103:49161	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack

No Suricata TLS

request	GET http://twizt.net/vncinstall.php
request	GET http://twizt.net/lbslut.exe

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Aug. 5, 2024, 10:40 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x000000b0 filepath: C:\Users\test22\AppData\Local\Temp\525352353.jpg desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\525352353.jpg create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service

reg_value

C:\Users\test22\winsvc.exe

process	v.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
process	winsvc.exe				useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

file	C:\Users\test22\winsvc.exe:Zone.Identifier
file	C:\Users\test22\AppData\Local\Temp\v.exe:Zone.Identifier

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Phorpiex.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Dropped:Generic.Malware.S!dld!.4D40BE06
Cylance	Unsafe
VIPRE	Dropped:Generic.Malware.S!dld!.4D40BE06
Sangfor	Worm.Win32.Phorpiex.Vqq8
BitDefender	Dropped:Generic.Malware.S!dld!.4D40BE06
Cybereason	malicious.d4c9a0
Arcabit	Generic.Malware.S!dld!.4D40BE06
Paloalto	generic.ml
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Phorpiex.BB
APEX	Malicious
Avast	Win32:WormX-gen [Wrm]
Kaspersky	HEUR:Trojan.Win32.Zonidel.gen
Alibaba	Worm:Win32/Zonidel.ff4dbf9e
MicroWorld-eScan	Dropped:Generic.Malware.S!dld!.4D40BE06
Emsisoft	Dropped:Generic.Malware.S!dld!.4D40BE06 (B)
F-Secure	Worm.WORM/Phorpiex.xapjy
TrendMicro	Mal_DLDER
McAfeeD	ti!3860E4BC7A35
FireEye	Generic.mg.5381689d4c9a0ce9
Sophos	Mal/Generic-S
Ikarus	Worm.Win32.Phorpiex
Google	Detected
Avira	WORM/Phorpiex.xapjy
MAX	malware (ai score=88)
Kingsoft	malware.kb.a.999
Microsoft	Trojan:Win32/Zusy.HNB!MTB
ZoneAlarm	HEUR:Trojan.Win32.Zonidel.gen
GData	Win32.Trojan.Phorpiex.D
Varist	W32/S-c70f2e64!Eldorado
AhnLab-V3	Trojan/Win.Dlder.R637818
BitDefenderTheta	Gen:NN.ZexaF.36810.auW@aikI5Phi
Malwarebytes	Trojan.Phorpiex
TrendMicro-HouseCall	Mal_DLDER
Tencent	Win32.Trojan.Zonidel.Gdhl
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Phorpiex.BB!worm
AVG	Win32:WormX-gen [Wrm]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Worm:Win/Phorpiex.BK

v.exe