Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, noon	March 8, 2025, 12:04 p.m.

Size	348.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`ce869420036665a228c86599361f0423`
SHA256	`eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd`
CRC32	`3D9AFEB6`
ssdeep	`6144:IPz8VYvGAYCJSDKsI2lbTZ4P+DGGilC+QooPCp1InDCCZx5Wt/ixduuZ8BEby209:YcYvu5WiBOPAil1Qok+G5W8xcuZYUQw`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) Network_Downloader - File Downloader

3158e964-6e73-4443-84f8-ddb304d57b87.exe "C:\Users\test22\AppData\Local\Temp\3158e964-6e73-4443-84f8-ddb304d57b87.exe"
872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.168.28.10	Active	Moloch
91.240.118.49	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.240.118.49:443 -> 192.168.56.103:49166	2400011	ET DROP Spamhaus DROP Listed Traffic Inbound group 12	Misc Attack
TCP 192.168.56.103:49162 -> 104.168.28.10:80	2022550	ET MALWARE Possible Malicious Macro DL EXE Feb 2016	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 104.168.28.10:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 91.240.118.49:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 104.168.28.10:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.168.28.10:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2025, noon			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	"\x16 YR\x16
section	b.b bb
section	b\x08b\x00S

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://104.168.28.10/001.exe

Performs some HTTP requests (1 event)

request

GET http://104.168.28.10/001.exe

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\GuardFox\d80e7f8c-43af-449d-82b5-03e6fe6216a2.exe
file	C:\Users\test22\AppData\Local\Temp\GuardFox\071576b5-62b3-15bd-8b9d-019573fc18cc.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: sdclt.exe process_identifier: 1540	1	1
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: taskhost.exe process_identifier: 1884	1	1
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: SearchFilterHost.exe process_identifier: 1156	1	1
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792	1	1

An executable file was downloaded by the process 3158e964-6e73-4443-84f8-ddb304d57b87.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv March 8, 2025, noon	buffer: HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Sat, 08 Mar 2025 03:02:50 GMT Content-Type: application/octet-stream Content-Length: 3161088 Last-Modified: Thu, 12 Dec 2024 15:33:20 GMT Connection: keep-alive ETag: "675b0240-303c00" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÀZgð"´/ @ 0@à/ H.text³/ ´/ `.rsrcà/¶/@@HH F =0aE/G0P+@~$+<+A,~%~ ((~%~ ½(( +½(+½ +¼(O bÐ++(- +ö(+ñ0Ã888~& received: 1024 socket: 708	1	1024	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00041e00', u'virtual_address': u'0x0022b000', u'entropy': 7.926204540482002, u'name': u'b.b\nbb', u'virtual_size': u'0x00042000'}

entropy

7.92620454048

description

A section with a high entropy has been found

entropy

0.757183908046

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (16 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0
Process32NextW March 8, 2025, noon	snapshot_handle: 0x00000000000000b4 process_name: pw.exe process_identifier: 792		0	0

Communicates with host for which no DNS query was performed (2 events)

host	104.168.28.10
host	91.240.118.49

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.Common.B9C2C41F
Lionic	Trojan.Win32.Ekstak.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.17413528921f0423
Skyhigh	ACL/Trojan Generic.VYRH
ALYac	Trojan.GenericKD.75883304
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75883304
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Trojan.GenericKD.75883304
K7GW	Trojan-Downloader ( 005c20c41 )
K7AntiVirus	Trojan-Downloader ( 005c20c41 )
Arcabit	Trojan.Generic.D485E328
VirIT	Trojan.Win32.GenusT.EPEJ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.BKH
Avast	Win64:MalwareX-gen [Trj]
ClamAV	Win.Malware.Zard-10034042-0
Kaspersky	Trojan.Win32.Ekstak.azpli
Alibaba	TrojanDownloader:Win32/Ekstak.5fc6a230
MicroWorld-eScan	Trojan.GenericKD.75883304
Rising	Trojan.Kryptik@AI.91 (RDML:/Bitoj3s8WSCxZBGsP51/Q)
Emsisoft	Trojan.GenericKD.75883304 (B)
F-Secure	Trojan.TR/Dldr.Agent.uwcxt
Zillya	Downloader.Agent.Win64.17830
McAfeeD	ti!EB04F77EB4F9
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.ce869420036665a2
Google	Detected
Avira	TR/Dldr.Agent.uwcxt
Antiy-AVL	Trojan/MSIL.Inject
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Heur!.032122C3
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Agent.356894
GData	Trojan.GenericKD.75883304
Varist	W64/ABTrojan.LPSD-0056
AhnLab-V3	Trojan/Win.TrojanGeneric.C5731851
McAfee	ACL/Trojan Generic.VYRH
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4284886570
Ikarus	Trojan-Dropper.Win64.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CBM25
Tencent	Malware.Win32.Gencirc.11d3a7df

3158e964-6e73-4443-84f8-ddb304d57b87

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All