Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:38 a.m.	Nov. 11, 2024, 9:42 a.m.

Size	3.6MB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`c808d2ed8bb6b2e3c06c907a01b73d06`
SHA256	`47d121087c05568fe90a25ef921f9e35d40bc6bec969e33e75337fc9b580f0e8`
CRC32	`A7391B52`
ssdeep	`98304:WZAsErGdEvDnybZ9m4LnHxY0pl+WKl/J4M/on7vm:BPQonug4LHLG2won7+`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

Responder.exe "C:\Users\test22\AppData\Local\Temp\Responder.exe"
2556
- Responder.exe "C:\Users\test22\AppData\Local\Temp\Responder.exe"
  2628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: NBT-NS, LLMNR & MDNS Windows Responder 2.3.3.0 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: Author: Laurent Gaffie (laurent.gaffie@gmail.com) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: To kill this script hit CRTL-C console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: -i mandatory option is missing console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: sage: python C:\Users\test22\AppData\Local\Temp\Responder.exe -I eth0 -w -r -f or: python C:\Users\test22\AppData\Local\Temp\Responder.exe -I eth0 -wrf Options: --version show program's version number and exit -h, --help show this help message and exit -A, --analyze Analyze mode. This option allows you to see NBT-NS, BROWSER, LLMNR requests without responding. -i 10.0.0.21, --ip=10.0.0.21 Local IP to use [1m[31m(only for OSX)[0m -e 10.0.0.22, --externalip=10.0.0.22 Poison all requests with another IP address than Responder's one. -b, --basic Return a Basic HTTP authentication. Default: NTLM -r, --wredir Enable answers for netbios wredir suffix queries. Answering to wredir will likely break stuff on the network. Default: False -d, --NBTNSdomain Enable answers for netbios domain suffix queries. Answering to domain suffixes will likely break stuff on the network. Default: False -f, --fingerprint This option allows you to fingerprint a host that issued an NBT-NS or LLMNR query. -w, --wpad Start the WPAD rogue proxy server. Default value is False -u UPSTREAM_PROXY, --upstream-proxy=UPSTREAM_PROXY Upstream HTTP proxy used by the rogue WPAD Proxy for outgoing requests (format: host:port) -F, --ForceWpadAuth Force NTLM/Basic authentication on wpad.dat file retrieval. This may cause a login prompt. Default: False -P, --ProxyAuth Force NTLM (transparently)/Basic (prompt) authentication for the proxy. WPAD doesn't need to be ON. This option is highly effective when combined with -r. Default: False --lm Force LM hashing downgrade for Windows XP/2003 and earlier. Default: False -v, --verbose Increase verbosity. console_handle: 0x00000007	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: Traceback (most recent call last): console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: File "Responder.py", line 50, in <module> console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: NameError console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: n console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: ame 'exit' is not defined console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 11, 2024, 9:38 a.m.	buffer: Failed to execute script Responder console_handle: 0x0000000b	1	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\python27.dll

Drops an executable to the user AppData folder (12 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25562\python27.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcr90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcm90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\msvcp90.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI25562\_sqlite3.pyd

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00005000', u'virtual_address': u'0x0000c000', u'entropy': 6.9941263066541755, u'name': u'.rdata', u'virtual_size': u'0x00004f08'}

entropy

6.99412630665

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ec00', u'virtual_address': u'0x00021000', u'entropy': 7.297059405170558, u'name': u'.rsrc', u'virtual_size': u'0x0000ea34'}

entropy

7.29705940517

description

A section with a high entropy has been found

entropy

0.644897959184

description

Overall entropy of this PE file is high

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Hacktool.Win32.Responder.3!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.GenericPMF.S3018656
Skyhigh	HTool-Responder
ALYac	Generic.Responder.Marte.A.695BA250
Cylance	Unsafe
VIPRE	Generic.Responder.Marte.A.695BA250
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.Responder.Marte.A.695BA250
Arcabit	Generic.Responder.Marte.A.695BA250
Symantec	Trojan Horse
ESET-NOD32	Python/HackTool.Responder.B
APEX	Malicious
ClamAV	Win.Trojan.Responder-6904753-0
Kaspersky	HackTool.Win32.Responder.a
Alibaba	HackTool:Win32/Responder.69c4f45c
MicroWorld-eScan	Generic.Responder.Marte.A.695BA250
Emsisoft	Generic.Responder.Marte.A.695BA250 (B)
F-Secure	PrivacyRisk.SPR/Responder.A
DrWeb	Tool.Responder.1
Zillya	Tool.Responder.Win32.7
McAfeeD	ti!47D121087C05
CTX	exe.trojan.responder
Sophos	ATK/Responder-D
FireEye	Generic.Responder.Marte.A.695BA250
Jiangmin	Trojan.Agent.atph
Google	Detected
Avira	SPR/Responder.A
Antiy-AVL	Trojan[APT]/Win32.APT40
Kingsoft	Win32.HackTool.Responder.a
Microsoft	PUA:Win32/Presenoker
ViRobot	Trojan.Win32.Z.Agent.3755115
ZoneAlarm	HackTool.Win32.Responder.a
GData	Generic.Responder.Marte.A.695BA250
Varist	W32/S-1c56a407!Eldorado
AhnLab-V3	HackTool/Win.Responder.C5403062
McAfee	HTool-Responder
DeepInstinct	MALICIOUS
VBA32	Trojan.Downloader
Malwarebytes	Neshta.Virus.FileInfector.DDS
Panda	Trj/CI.A
Tencent	Win32.Hacktool.Responder.Bnhl
Fortinet	Riskware/Responder
Paloalto	generic.ml

Responder.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All