Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2025, 9:36 a.m.	March 27, 2025, 9:38 a.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e6bd18c05b4c856a0465f5c539b5873f`
SHA256	`c8355eb495a616f39fabfd22ae778ac3b111ccc271914a423087920c6f25c034`
CRC32	`C4698B83`
ssdeep	`24576:oTvqQGUu/OBrPScMD54umx43TKg4OCS3mTpvB2HyFZbLX46RJn/dCW:ok+h2e83TKg46oUaZbLjX`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library mzp_file_format - MZP(Delphi) file format IsPE32 - (no description) UPX_Zero - UPX packed file

cmd.exe cmd /c ""C:\\Users\\All Users\\3724.cmd""
2404
- esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
  2536
cmd.exe cmd /c ""C:\\Users\\All Users\\37850.cmd""
2440
- PING.EXE ping 127.0.0.1 -n 10
  2528
colorcpl.exe C:\Windows\System32\colorcpl.exe
2728

Name	Response	Post-Analysis Lookup
bb990a9a6fafe.duckdns.org	A 146.70.83.186	146.70.83.186

IP Address	Status	Action
103.186.117.225	Active	Moloch
146.70.83.186	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033959	ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033959	ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2033959	ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033959	ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2033959	ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 27, 2025, 9:36 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW March 27, 2025, 9:36 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleA March 27, 2025, 9:36 a.m.	buffer: FAILURE: GetOverlappedResult (read) returned wrong number of bytes: The operation completed successfully. console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 27, 2025, 9:36 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Connects to a Dynamic DNS Domain (1 event)

domain

bb990a9a6fafe.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 27, 2025, 9:37 a.m.	process_identifier: 2728 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496	0
NtAllocateVirtualMemory March 27, 2025, 9:37 a.m.	process_identifier: 2728 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

colorcpl.exe tried to sleep 255 seconds, actually delayed analysis time by 255 seconds

Creates a suspicious process (1 event)

cmdline

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

Drops a binary and executes it (1 event)

file	C:\Users\Public\alpha.pif

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0011d200', u'virtual_address': u'0x00087000', u'entropy': 7.7584559501458195, u'name': u'.rsrc', u'virtual_size': u'0x0011d200'}

entropy

7.75845595015

description

A section with a high entropy has been found

entropy

0.691212121212

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping 127.0.0.1 -n 10

Communicates with host for which no DNS query was performed (1 event)

host

103.186.117.225

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA March 27, 2025, 9:37 a.m.	thread_identifier: 0 callback_function: 0x00b99d0a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00b90000		0	0

Generates some ICMP traffic

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
VIPRE	Gen:Variant.Tedy.748381
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Tedy.748381
Arcabit	Trojan.Tedy.DB6B5D
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/TrojanDownloader.ModiLoader.AHM
APEX	Malicious
ClamAV	Win.Trojan.Modiloader-10042434-0
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Gen:Variant.Tedy.748381
Rising	Downloader.Agent!1.EFE4 (CLASSIC)
Emsisoft	Gen:Variant.Tedy.748381 (B)
CTX	exe.unknown.tedy
SentinelOne	Static AI - Suspicious PE
FireEye	Gen:Variant.Tedy.748381
Google	Detected
Kingsoft	malware.kb.a.953
Microsoft	Program:Win32/Wacapew.C!ml
GData	Gen:Variant.Tedy.748381
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	OB:Trojan-DL.Win32.Modiloader.16001687
huorong	TrojanDownloader/ModiLoader.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.ABE!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 events)

dead_host	146.70.83.186:6666
dead_host	192.168.56.103:49176
dead_host	103.186.117.225:6666
dead_host	192.168.56.103:49173
dead_host	103.186.117.225:9916

loader.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All