Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 17, 2021, 12:35 p.m.	March 17, 2021, 12:35 p.m.

Size	1.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6fa14b3b1c54a26f0b9bbcd2f6b45899`
SHA256	`601cdbddfe6ac894daff506167c164c65446f893d1d5e4b95e92d960ff5f52b0`
CRC32	`DA2AB092`
ssdeep	`24576:cy2Xx8ZbQ63aRtpjmi9CBBjP0rQw/6zSYUZrpdSdwwDtrmqb:cy2gbQ63Kj1CBSrQwZ1pdSdvDtrmK`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero network_tcp_listen - Listen for incoming communication network_tcp_socket - Communications over RAW socket network_dns - Communications use DNS screenshot - Take screenshot win_mutex - Create or check mutex win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration IsPE64 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check

putty.exe "C:\Users\test22\AppData\Local\Temp\putty.exe"
1016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 17, 2021, 12:28 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 17, 2021, 12:28 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.00cfg
section	.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 12:28 p.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

APEX

Malicious

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004b200', u'virtual_address': u'0x000da000', u'entropy': 7.827676788580819, u'name': u'.rsrc', u'virtual_size': u'0x0004b030'}

entropy

7.82767678858

description

A section with a high entropy has been found

entropy

0.264757709251

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.chiark.greenend.org.uk/

Yara rule detected in process memory (43 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

putty.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All