Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.05.24 09:18	Machine	s1_win7_x6401
Filename	wnspxzq@_27899.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	8	Behavior Score	5.8
ZERO API	file : malware
VT API (file)	31 detected (Zusy, Artemis, Unsafe, Wacatac, Duote, Malicious, dGZlOgVvnaLNC0yWXw, Score, Delphi, Gen4, Tiggre, ai score=100, TScope, Delf, R002H0CEI21, confidence, 100%)
md5	9d24f3afa9e996bb1d87fbf12263c53f
sha256	379a4afe5d418429ba1bb2e484a0672137325262f55473d007e72ebe4879a036
ssdeep	24576:54J2QS/Mo6TVg2UldBeAGNI5blPIZgibbtSBTbfj2ZSUWSej/Qde:54wQSkhT5UPEMqtq72Z1erQde
imphash	0fd1ae9dc2ff93ef397166b3a1a3fa90
impfuzzy	12:VA/DzqYOZ9VJ4LGGxaZC3E7ZZSIAITQQLKxn:V0DBa9VJ9EoKEvSIArn

Network IP location

Signature (13cnts)

Level	Description
danger	File has been identified by 31 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Foreign language identified in PE resource
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries for potentially installed applications
notice	Repeatedly searches for a not-found process
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
info	The executable uses a known packer
info	The file contains an unknown PE resource name possibly indicative of a packer

Rules (4cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)

Network (9cnts) ?

Request	ASN Co	IP4	ZERO ?
http://api.xp666.com/setup_api.php?softid=27899 whois	Hangzhou Alibaba Advertising Co.,Ltd.	203.107.36.186	clean
http://download.xp666.com/dtazq/getlist whois	AS Number for CHINANET jiangsu province backbone	58.215.155.241	clean
http://download.xp666.com/dtazq/dtico.zip whois	AS Number for CHINANET jiangsu province backbone	58.215.155.241	clean
http://download.xp666.com/dtazq/wb whois	AS Number for CHINANET jiangsu province backbone	58.215.155.241	clean
http://download.xp666.com/dtazq/cof/cfg.7z whois	AS Number for CHINANET jiangsu province backbone	58.215.155.241	clean
download.xp666.com whois	AS Number for CHINANET jiangsu province backbone	58.215.155.241	malware
api.xp666.com whois	Hangzhou Alibaba Advertising Co.,Ltd.	203.107.36.186	clean
58.215.155.240 whois	AS Number for CHINANET jiangsu province backbone	58.215.155.240	clean
203.107.36.186 whois	Hangzhou Alibaba Advertising Co.,Ltd.	203.107.36.186	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0x863b54 LoadLibraryA
0x863b58 GetProcAddress
0x863b5c VirtualProtect
0x863b60 VirtualAlloc
0x863b64 VirtualFree
0x863b68 ExitProcess
advapi32.dll
0x863b70 RegFlushKey
comctl32.dll
0x863b78 ImageList_Add
gdi32.dll
0x863b80 Pie
gdiplus.dll
0x863b88 GdipFree
msvcrt.dll
0x863b90 _gcvt
netapi32.dll
0x863b98 Netbios
ole32.dll
0x863ba0 IsEqualGUID
oleaut32.dll
0x863ba8 VariantCopy
shell32.dll
0x863bb0 ShellExecuteW
shlwapi.dll
0x863bb8 PathCombineW
URLMON.DLL
0x863bc0 URLDownloadToFileW
user32.dll
0x863bc8 GetDC
version.dll
0x863bd0 VerQueryValueW
wininet.dll
0x863bd8 InternetOpenA
wsock32.dll
0x863be0 send

EAT(Export Address Table) is none

Report - wnspxzq@_27899.exe

Signature (13cnts)

Rules (4cnts)

Network (9cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure