Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 11, 2024, 2:30 p.m.	Aug. 11, 2024, 3:07 p.m.

Size	307.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ef8320eace6f753231666c61104bdd49`
SHA256	`8e2fa428fa5e7092d117dadf10529a35f415a0b8fa27cd17607e23dd913ffcdc`
CRC32	`C3823D8E`
ssdeep	`6144:hh9fH2l34HigA2/BDBaBL7cpnBZVCBQrfYQSlyItcJ2+QmmaeIBqk3biuFo480AL:s9jtaeIBqmu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Name	Response	Post-Analysis Lookup
ip-api.io	A 212.132.117.42	212.132.117.42

IP Address	Status	Action
164.124.101.2	Active	Moloch
212.132.117.42	Active	Moloch

Flow	SID	Signature	Category
TCP 212.132.117.42:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 212.132.117.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2039045	ET INFO External IP Lookup Domain (ip-api .io) in DNS Lookup	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 212.132.117.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

No Suricata TLS

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 11, 2024, 2:30 p.m.	computer_name: TEST22-PC	1	1

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 11, 2024, 2:30 p.m.			0	0

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 11, 2024, 2:30 p.m.	buffer: SUCCESS: The scheduled task "msvcservice" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Aug. 11, 2024, 2:30 p.m.	buffer: SUCCESS: The scheduled task "msvcservice" has successfully been created. console_handle: 0x00000007	1	1	0

description

request.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds

cmdline

C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN msvcservice /TR "C:\Users\test22\msvcservice.exe" /F

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 11, 2024, 2:30 p.m.	show_type: 0 filepath_r: C:\Users\test22\msvcservice.exe parameters: filepath: C:\Users\test22\msvcservice.exe	1	1	0

cmdline

C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN msvcservice /TR "C:\Users\test22\msvcservice.exe" /F

wmi	SELECT * FROM Win32_Processor

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msvcservice	reg_value	C:\Users\test22\msvcservice.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msvcservice	reg_value	C:\Users\test22\msvcservice.exe
cmdline	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN msvcservice /TR "C:\Users\test22\msvcservice.exe" /F

file	C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Heur.Mint.SP.Sneaky.1
Skyhigh	BehavesLike.Win32.Generic.fh
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.SP.Sneaky.1
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Heur.Mint.SP.Sneaky.1
Cybereason	malicious.ace6f7
Arcabit	Trojan.Mint.SP.Sneaky.1
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	VHO:Trojan-Dropper.Win32.Dorifel.gen
Emsisoft	Gen:Heur.Mint.SP.Sneaky.1 (B)
F-Secure	Trojan.TR/Hijacker.Gen
McAfeeD	Real Protect-LS!EF8320EACE6F
FireEye	Generic.mg.ef8320eace6f7532
Sophos	ML/PE-A
Avira	TR/Hijacker.Gen
MAX	malware (ai score=80)
Kingsoft	malware.kb.a.989
Microsoft	Trojan:Win32/Amadey.KAA!MTB
ZoneAlarm	VHO:Trojan-Dropper.Win32.Dorifel.gen
GData	Gen:Heur.Mint.SP.Sneaky.1
AhnLab-V3	Trojan/Win.Generic.C5644986
BitDefenderTheta	AI:Packer.8C9622AE1E
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Wacatac
huorong	HVM:Trojan/MalBehav.gen!A
CrowdStrike	win/malicious_confidence_100% (D)

request.exe