popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

selena2.exe

Malicious Packer UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 30, 2024, 9:25 a.m. Sept. 30, 2024, 9:29 a.m.
Size 1.1MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 229111fbcdda2ea5c476e2a405cf6f37
SHA256 b24e7c066b84d327678fea4ddefafb2db2fe2002e17a81845ad5f2fb38d4f444
CRC32 05954B62
ssdeep 12288:rg32CTDjNG89PdJvG74VeCzuKVICp5qN2W3eqSQA/JfkQAOVmzW5/:rS2CT3NLVJO74VrqSQAVFArk/
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
138.201.163.183 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 138.201.163.183:443 -> 192.168.56.101:49162 2037563 ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49162
138.201.163.183:443 		C=US, ST=Connecticut, L=Bridgeport, unknown=, unknown=3540, O=Tech Co, CN=138.201.163.183 C=US, ST=Connecticut, L=Bridgeport, unknown=, unknown=3540, O=Tech Co, CN=138.201.163.183 f2:fe:5c:d4:5e:a3:2d:1e:1c:ad:6d:f6:88:08:66:4e:40:70:60:de

suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://138.201.163.183/
request POST https://138.201.163.183/
request POST https://138.201.163.183/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 106496
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00000000005b0000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0001ca00', u'virtual_address': u'0x000b6000', u'entropy': 7.5962194103993435, u'name': u'.data', u'virtual_size': u'0x0001c880'} entropy 7.5962194104 description A section with a high entropy has been found
host 138.201.163.183
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.Havoc.4!c
MicroWorld-eScan Trojan.Generic.36827320
CTX exe.trojan.generic
McAfee Artemis!229111FBCDDA
Cylance Unsafe
VIPRE Trojan.Generic.36827320
Sangfor Trojan.Win64.Injector.Vo2t
CrowdStrike win/malicious_confidence_70% (D)
Alibaba Trojan:Win64/Injector.1f155dd8
K7GW Trojan ( 005afddd1 )
K7AntiVirus Trojan ( 005afddd1 )
Arcabit Trojan.Generic.D231F0B8
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win64/Injector.OY
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 99)
BitDefender Trojan.Generic.36827320
Emsisoft Trojan.Generic.36827320 (B)
Zillya Trojan.Havoc.Win64.220
McAfeeD ti!B24E7C066B84
Sophos Generic Reputation PUA (PUA)
FireEye Generic.mg.229111fbcdda2ea5
Webroot W32.Trojan.TR.Injector.yzifm
Avira TR/Injector.yzifm
Antiy-AVL Trojan[Injector]/Win64.Agent
Kingsoft Win32.Troj.Unknown.a
Gridinsoft Trojan.Win64.Downloader.sa
Microsoft Trojan:Win32/Wacatac.B!ml
ViRobot Trojan.Win.Z.Injector.1113120
GData Win32.Packed.Injector.TBBDIJ
Google Detected
AhnLab-V3 Trojan/Win.Generic.R633197
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.2870320396
Ikarus Trojan.Win64.Agent
Tencent Malware.Win32.Gencirc.10c03549
huorong HVM:Trojan/Injector.cp
Fortinet W64/Injector.OY!tr
alibabacloud Trojan:Win/Injector.ON