Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 13, 2024, 9:33 a.m.	Sept. 13, 2024, 9:38 a.m.

Size	11.3MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`e0b11d0fba0e8c49d4f268e831bccc7a`
SHA256	`f313aa44ce787dc150571aa050ad76ab1773e5d71096e94ff92e78534eb25e23`
CRC32	`D6E9C669`
ssdeep	`98304:V3WBP9loEChXVFmEiZGZBRA5RACWNOxg:Vm9oFxiI/C5CLU`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

999.html "C:\Users\test22\AppData\Local\Temp\999.html"
2068
- whoami.exe whoami
  2216

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.87.10.156	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49161 103.87.10.156:50698	None	None	None

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 13, 2024, 9:31 a.m.	buffer: 2024/09/13 09:31:53 Forking console_handle: 0x000000000000000b	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 13, 2024, 9:31 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

whoami

Communicates with host for which no DNS query was performed (1 event)

host

103.87.10.156

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Sept. 13, 2024, 9:31 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W64.AIDetectMalware
Lionic	Hacktool.Win32.Marte.3!c
Elastic	malicious (high confidence)
ALYac	Generic.Application.Revhell.Marte.A.8173D2BA
VIPRE	Generic.Application.Revhell.Marte.A.8173D2BA
Sangfor	Hacktool.Win64.Reversessh.Vuy3
BitDefender	Generic.Application.Revhell.Marte.A.8173D2BA
Cybereason	malicious.fba0e8
Arcabit	Generic.Application.Revhell.Marte.A.8173D2BA
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of WinGo/HackTool.ReverseSsh.E.gen
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Backdoor.ReverseSSH-10033041-1
Kaspersky	HEUR:HackTool.Win64.ReverseSSH.gen
Alibaba	HackTool:Win64/SuperShell.50b020dd
MicroWorld-eScan	Generic.Application.Revhell.Marte.A.8173D2BA
Rising	HackTool.ReverseSSH!1.EA42 (CLASSIC)
Emsisoft	Generic.Application.Revhell.Marte.A.8173D2BA (B)
DrWeb	BackDoor.Reverse.236
McAfeeD	ti!F313AA44CE78
CTX	exe.hacktool.reversessh
Sophos	Mal/Swrort-Y
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.Application.Revhell.Marte.A.8173D2BA
Google	Detected
Kingsoft	Win64.HackTool.ReverseSSH.gen
Gridinsoft	Hack.Win64.Patcher.sa
Microsoft	VirTool:Win64/SuperShell.A
ZoneAlarm	HEUR:HackTool.Win64.ReverseSSH.gen
GData	Win64.Packed.Shellcode.C
Varist	W64/ABApplication.NGBG-3139
AhnLab-V3	Trojan/Win.Generic.R664664
McAfee	Artemis!E0B11D0FBA0E
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3536155739
Ikarus	Win32.Outbreak
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H01IC24
Tencent	Win64.Hacktool.Reversessh.Lcnw
Yandex	Trojan.Agent!uVlyNiGIejQ
MaxSecure	Trojan.Malware.208817443.susgen
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Backdoor:Multi/Supershell

999.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All