Report - ZeroBOX

ScreenShot


Created	2021.05.02 18:27	Machine	s1_win7_x6402
Filename	ls.txt
Type	ASCII text
AI Score	Not founds	Behavior Score	8.4
ZERO API	file : mailcious
VT API (file)	1 detected (gen221)
md5	af14952111df8accaad09dfaaae03ae6
sha256	2cef710ffbfe236e8fa4e468e4ce8ff83a8958c0b020cc9a06268b03d4474990
ssdeep	96:FF8nYbF8IYbqbYbZbX4bYbZbGbYbZb2bYbZb5ba/LxbYbZb/:FIqFqAqBXKqBsqBcqB5bEL5qB/
imphash
impfuzzy

Network IP location

Level	Description
watch	Attempts to identify installed AV products by installation directory
watch	Communicates with host for which no DNS query was performed
watch	Creates a suspicious Powershell process
watch	Deletes executed files from disk
watch	Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch	One or more non-whitelisted processes were created
watch	The process powershell.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	File has been identified by one AntiVirus engine on VirusTotal as malicious
notice	Poweshell is sending data to a remote host
notice	URL downloaded by powershell script
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Level	Name	Description	Collection
watch	Antivirus	Contains references to security software	binaries (download)
watch	Antivirus	Contains references to security software	binaries (upload)

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
nyc002.hawkhost.com whois		SINGLEHOP-LLC	172.96.186.134		malware
172.96.186.134 whois		SINGLEHOP-LLC	172.96.186.134		malware

Report - ls.txt