Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
05.01 02:05
LoginMain(1)
05.01 02:05
LoginMain
05.01 02:05
veneziaLogin.js.pobrane
05.01 02:05
troubleshot-modal-info...
05.01 02:05
LoginMain(4)
05.01 02:05
LoginMain(3)
05.01 02:05
LoginMain(2)
05.01 02:05
LoginMain(6)
05.01 02:05
LoginMain(5)
05.01 02:05
background

Latest News
05.01 06:05
Apple’s Chaotic Month ...
05.01 06:05
Palantir’s Intelligenc...
05.01 06:05
Gunnebo gründet Global...
05.01 06:05
Elektronische Patiente...
05.01 06:05
통신사·콜센터 대규모 해킹사고 원인 "스...
05.01 06:05
Ocado’s Total Bond Bil...
05.01 06:05
Commvault Confirms Hac...
05.01 06:05
Tesla Sales Sink to Tw...
05.01 06:05
Exploring PLeak: An Al...
05.01 05:05
Gaze Upon Robby The Ro...

Summary | ZeroBOX

ConsoleApplication6.exe

Generic Malware Malicious Library Downloader UPX PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:01 p.m.	Aug. 19, 2024, 2:07 p.m.

Size	353.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e3454ebec6c620ea8547121080a4634e`
SHA256	`d4ff3691a8f6e2e3d5dc2dbc23d222f1547e4addf2b8b7f598b213cd7559d5fd`
CRC32	`91D3E999`
ssdeep	`6144:r6U8gPcMcHsSB6+1zrXsEvKXchoQfaSEX:O8cHsSB6IzzsHshoTX`
PDB Path	D:\ProjectStub\ConsoleApplication6\x64\Release\ConsoleApplication6.pdb
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ConsoleApplication6.exe "C:\Users\test22\AppData\Local\Temp\ConsoleApplication6.exe"
2560

Name	Response	Post-Analysis Lookup
exploit-elite.pro	A 172.67.204.99 A 104.21.22.108	104.21.22.108

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.204.99	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 172.67.204.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 172.67.204.99:443	C=US, O=Google Trust Services, CN=WE1	CN=exploit-elite.pro	c1:6c:4c:e0:d2:55:b6:ef:43:4f:74:59:ab:ac:b2:46:c7:7f:7d:fc

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 1:54 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\ProjectStub\ConsoleApplication6\x64\Release\ConsoleApplication6.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 1:54 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Performs some HTTP requests (1 event)

request

GET https://exploit-elite.pro/build.exe

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 19, 2024, 1:54 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\file1.exe

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win64.NetLoader.fh
APEX	Malicious
McAfeeD	ti!D4FF3691A8F6
FireEye	Generic.mg.e3454ebec6c620ea
SentinelOne	Static AI - Suspicious PE
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (D)