Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.05.04 13:50	Machine	s1_win7_x6401
Filename	46.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	10	Behavior Score	12.4
ZERO API	file : malware
VT API (file)	38 detected (malicious, high confidence, Mint, Zard, Unsafe, Attribute, HighConfidence, Phorpiex, CoinminerX, EQE@80vxxy, Static AI, Malicious PE, XPACK, ai score=89, Caynamer, score, Dlder, BScope, dGZlOgUN9lLDNPuMzg, Outbreak, ZexaF, auW@a0A3T4li, confidence, 100%)
md5	0a6569e45a3a38f7168f4c4aa0594627
sha256	ad74f606e358fb7f6db9a5652d0a60310d069ac108934a72d0352e5fa9248b38
ssdeep	96:L1YtYF8d/XFvRxR2xs9it95PtboynunSzCt4:L12jWbr5P1oynWSq
imphash	3cdafced2b335e7dc14e96cb2f655c00
impfuzzy	12:I4sQGX5u4Gy+GXRzGy5hwBc7bwYLIS73ORB9OdCmEsy2ugW:cX50y+GdgBc6S73Ov9OS/2jW

Network IP location

Signature (21cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	Disables Windows Security features
danger	File has been identified by 38 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Attempts to remove evidence of file being downloaded from the Internet
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
watch	Installs itself for autorun at Windows startup
watch	Modifies security center warnings
watch	Network activity contains more than one unique useragent
watch	Network communications indicative of possible code injection originated from the process lsass.exe
watch	Operates on local firewall's policies and settings
notice	A process attempted to delay the analysis task.
notice	An executable file was downloaded by the process 46.exe
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
info	The executable uses a known packer
info	This executable has a PDB path

Rules (6cnts)

Level	Name	Description	Collection
danger	Win_Worm_Phorpiex	a worm which spreads via removable drives and network drives.	binaries (download)
danger	Win_Worm_Phorpiex	a worm which spreads via removable drives and network drives.	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (18cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://api.wipmania.com/ whois	Online S.a.s.	212.83.168.196		clean
http://149.56.45.200:9030/tor/server/fp/005079a42356183cea5a3add239303f44f12e7ea+00c22d3bc1822eb8ea380af04245337399e796e2+00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+00eb3a12c77e70f19f66a7bbd094d62969af350d+01384a5d9c6d34352701bf86d04e5f406cb256ae+01e19a812a whois	OVH SAS	149.56.45.200		mailcious
http://185.215.113.93/pepwn.exe whois		185.215.113.93	1282	malware
http://185.215.113.93/cc11 whois		185.215.113.93	1276	mailcious
http://86.59.21.38/tor/status-vote/current/consensus.z whois	Hutchison Drei Austria GmbH	86.59.21.38	1278	mailcious
http://131.188.40.189:443/tor/server/fp/00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+022a5535f42b1a9f9aa755c4eab5f36fef9781d8+023ebbc57beb7f45473b3dc2aa811fb3aaba4466+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+03910f285a33f365838ec66ef2c2ef754d046760+03c3069e81 whois	Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.	131.188.40.189	1280	mailcious
api.wipmania.com whois	Online S.a.s.	212.83.168.196		clean
212.83.168.196 whois	Online S.a.s.	212.83.168.196		clean
95.217.42.50 whois	Hetzner Online GmbH	95.217.42.50		clean
45.66.156.176 whois	ENZUINC	45.66.156.176		clean
51.195.253.209 whois	OVH SAS	51.195.253.209		clean
141.255.162.34 whois	Private Layer INC	141.255.162.34		clean
83.212.103.129 whois	National Infrastructures for Research and Technology S.A.	83.212.103.129		clean
185.215.113.93 whois		185.215.113.93		malware
131.188.40.189 whois	Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.	131.188.40.189		mailcious
86.59.21.38 whois	Hutchison Drei Austria GmbH	86.59.21.38		mailcious
5.196.71.24 whois	OVH SAS	5.196.71.24		clean
149.56.45.200 whois	OVH SAS	149.56.45.200		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

SHLWAPI.dll
0x402084 PathFileExistsW
MSVCRT.dll
0x402038 __p__fmode
0x40203c __set_app_type
0x402040 __p__commode
0x402044 _controlfp
0x402048 _adjust_fdiv
0x40204c __setusermatherr
0x402050 _initterm
0x402054 __getmainargs
0x402058 _acmdln
0x40205c exit
0x402060 _XcptFilter
0x402064 _exit
0x402068 srand
0x40206c rand
0x402070 memset
0x402074 _except_handler3
WININET.dll
0x402094 InternetOpenW
0x402098 InternetOpenUrlW
0x40209c InternetCloseHandle
0x4020a0 InternetReadFile
urlmon.dll
0x4020a8 URLDownloadToFileW
KERNEL32.dll
0x402000 CopyFileA
0x402004 GetTickCount
0x402008 CloseHandle
0x40200c DeleteFileW
0x402010 CreateProcessW
0x402014 Sleep
0x402018 CopyFileW
0x40201c DeleteFileA
0x402020 GetModuleHandleA
0x402024 GetStartupInfoA
0x402028 CreateFileW
0x40202c ExpandEnvironmentStringsW
0x402030 WriteFile
USER32.dll
0x40208c wsprintfW
SHELL32.dll
0x40207c ShellExecuteW

EAT(Export Address Table) is none

Report - 46.exe

Signature (21cnts)

Rules (6cnts)

Network (18cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure