Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

new.exe

Generic Malware Malicious Library UPX PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2025, 9:37 a.m.	April 3, 2025, 9:50 a.m.

Size	1016.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`325000275f677b4b4d1911e89cdebe46`
SHA256	`84c388a291361ba03995777e606edeb94f50933cfe1a4eb4507b1bb75e494794`
CRC32	`C3C5F397`
ssdeep	`24576:SrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaG6:S2EYTb8atv1orq+pEiSDTj1VyvBaG`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

new.exe "C:\Users\test22\AppData\Local\Temp\new.exe"
2560

Name	Response	Post-Analysis Lookup
dat-voip-sit-cio.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.231.132

IP Address	Status	Action
104.16.230.132	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49162 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49162 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2025, 9:30 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Performs some HTTP requests (1 event)

request

GET https://dat-voip-sit-cio.trycloudflare.com/a.zip

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 3, 2025, 9:30 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Agent.Y!c
MicroWorld-eScan	Trojan.GenericKD.76150081
CAT-QuickHeal	Trojan.Agent
ALYac	Trojan.GenericKD.76150081
Cylance	Unsafe
VIPRE	Trojan.GenericKD.76150081
Sangfor	Trojan.Win32.Agent.Voop
CrowdStrike	win/malicious_confidence_90% (W)
BitDefender	Trojan.GenericKD.76150081
K7GW	Trojan ( 005c4b3b1 )
K7AntiVirus	Trojan ( 005c4b3b1 )
Arcabit	Trojan.Generic.D489F541
Symantec	Trojan Horse
ESET-NOD32	a variant of Generik.ICQUVOS
Avast	Win64:Malware-gen
Kaspersky	Trojan.Win32.Agent.xbxkrz
Emsisoft	Trojan.GenericKD.76150081 (B)
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
FireEye	Generic.mg.325000275f677b4b
Google	Detected
Antiy-AVL	Trojan/Win32.Agent
ViRobot	Trojan.Win.Z.Agent.1040896.N
GData	Trojan.GenericKD.76150081
Varist	W64/ABTrojan.YIBZ-2591
McAfee	Artemis!325000275F67
DeepInstinct	MALICIOUS
VBA32	Trojan.Agent
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.SuspectCRC
Panda	Trj/Chgt.AD
MaxSecure	Trojan.Malware.8426628.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan:Win/Wacatac.B9nj