Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 24, 2025, 9:47 a.m.	March 24, 2025, 9:51 a.m.

Size	494.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d93c9f26b0d69dd22cdbc76e3cfea0e5`
SHA256	`e57f307bee3c0b72d9f62f09567ed298041171828fa2993bff97cd1a5780b488`
CRC32	`26F9483D`
ssdeep	`12288:Q5p1UZ32H10rH5ZVZEsh8ZskmY5a4JNXuOwhDx/K:Q5pOZGHOrH5RLG64JNXQ1h`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

Build104.exe "C:\Users\test22\AppData\Local\Temp\Build104.exe"
940

Name	Response	Post-Analysis Lookup
italiyspain.info	A 104.21.52.60 A 172.67.195.246	104.21.52.60
cloudflare-dns.com	A 104.16.249.249 A 104.16.248.249	104.16.249.249

IP Address	Status	Action
104.16.249.249	Active	Moloch
104.21.52.60	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.16.249.249:443 -> 192.168.56.103:49162	2027671	ET INFO Cloudflare DNS Over HTTPS Certificate Inbound	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49166 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49163 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49164 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49162 104.16.249.249:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com	3b:a7:e9:f8:06:eb:30:d2:f4:e3:f9:05:e5:3f:07:e9:ac:f0:8e:1e
TLS 1.2 192.168.56.103:49167 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49171 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49170 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c
TLS 1.2 192.168.56.103:49169 104.21.52.60:443	C=US, O=Google Trust Services, CN=WE1	CN=italiyspain.info	e1:dd:41:4a:b4:ea:00:d8:40:59:c9:6a:42:67:16:b8:62:43:d1:1c

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 24, 2025, 9:47 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f60000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 9:47 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 9:47 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4128768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 process_handle: 0xffffffff	1

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.Common.38915DF0
Lionic	Trojan.Win32.Strab.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Strab
Skyhigh	BehavesLike.Win32.Dropper.gh
ALYac	Gen:Variant.Zusy.584382
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.584382
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Zusy.584382
K7GW	Trojan ( 005c28581 )
K7AntiVirus	Trojan ( 005c28581 )
Arcabit	Trojan.Zusy.D8EABE
VirIT	Trojan.Win32.GenusT.EPRR
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETWC
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Strab.gen
Alibaba	Trojan:Win32/Strab.37b80dc7
NANO-Antivirus	Trojan.Win32.Strab.kvzmay
MicroWorld-eScan	Gen:Variant.Zusy.584382
Rising	Trojan.Strab!8.12D03 (TFE:5:0XapLWekQUP)
Emsisoft	Gen:Variant.Zusy.584382 (B)
F-Secure	Trojan.TR/Kryptik.muijy
DrWeb	Trojan.Siggen30.63757
Zillya	Trojan.GenKryptik.Win32.1084625
TrendMicro	Trojan.Win32.AMADEY.YXFCSZ
McAfeeD	ti!E57F307BEE3C
CTX	exe.trojan.strab
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Zusy.584382
Webroot	Win.Malware.Gen
Google	Detected
Avira	TR/Kryptik.muijy
Antiy-AVL	GrayWare/Win32.Wacapew
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Multiverze!rfn
GData	Gen:Variant.Zusy.584382
Varist	W32/ABTrojan.QBXQ-2920
AhnLab-V3	Trojan/Win.Generic.R697000
McAfee	Artemis!D93C9F26B0D6
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanPSW.Rhadamanthys
Ikarus	Trojan.Win32.Krypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXFCSZ
Tencent	Malware.Win32.Gencirc.10c2e6f9
huorong	Trojan/Agent.cdi

Build104.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All