Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.06.24 19:01	Machine	s1_win7_x6402
Filename	downfile.asp
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	5.0
ZERO API	file : clean
VT API (file)	33 detected (AIDetect, malware1, malicious, high confidence, Johnnie, Wacapew, Redcap, Attribute, HighConfidence, score, DownLoader28, Unsafe, mobvb, ai score=83, R002H09FJ21, susgen, PossibleThreat)
md5	95c9114f4850e45b212d0e053103961e
sha256	f75fac925ae13030aae524f97961cd2ca3122c1d4ae2a8d9f3272663359b3b4a
ssdeep	192:/TOYWCVzXOxBpTLTRXHlASw0y/BCmhkqwZAHVA1cYHmz8htoMyysE3WCVzXOxB:/TO6+BTKL0WCmSd1cioMb7+B
imphash	ad117fe5e7c2db0809a4efb73b63e0ab
impfuzzy	24:n9wwzbYwgOfVy8xRN8M3il5rErxgYblShT/ESFNm5s4zTwG5XgDSd+HTSw8:nqwzbYwgCRxRN8M3I5rErxgYbghTlFNk

Network IP location

Signature (11cnts)

Level	Description
danger	File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
watch	Disables proxy possibly for traffic interception
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates executable files on the filesystem
notice	Foreign language identified in PE resource
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
info	Checks amount of memory in system
info	One or more processes crashed

Rules (4cnts)

Level	Name	Description	Collection
info	IsPE32	(no description)	binaries (upload)
info	JPEG_Format_Zero	JPEG Format	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)

Network (96cnts) ?

Request	ASN Co	IP4	ZERO ?
http://ip.ws.126.net/ipquery whois	Guangzhou NetEase Computer System Co., Ltd.	59.111.181.52	clean
http://www.ysbaojia.com:88/web/images/xiaomishu/00.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/main0.jpg whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/wx.jpg whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/fangweibiao.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/api/common.asp?act=in_client&w=1024&h=768&c=32 whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/leftitems.js?+Math.random() whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/menu_bg_over_bg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/baozhuanghe.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/zDialog.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/suliaodai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/caihe.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/mingpian.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/shuomingshu.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/myJSFrame.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/ad_right1.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/handle.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/api/main.asp?pid=7616&Unid=&comefrom=10&vvv=5.9&SysCode=Web whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/menu_bg_over_left.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/pbdanzhang.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/api/news.asp?pid=7616&comefrom=10&provs=?? whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zhibei.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/menu_bg_over_right.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/danzhang.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/diaopai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/caihe.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/Toolbar.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/foot_bg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/huache.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/tabs-list.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbdanzhang.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/api/getBoom.asp?t=2&pid=7616 whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/buganjiao.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/css/mainx1.css whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/checklogin.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbhuace.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/wufangbudai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/tab-strip-bg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/utilities.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/left-2.html whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/fengtao.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/index.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/tabs-sprite.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/bzbg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/guali.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/penhui.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/shouwandai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/main1.jpg whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/favDrop.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/pbhuace.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbbuganjiao.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/xiaomishu.html?pid=7616 whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/e-handle.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/design.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/yinshuasheji.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/ysf.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/lang.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/panel-title-light-bg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/css/Pitem.css whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/ad_right.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/tiaofu.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/api/login.asp?al=1&SysCode=Web whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/mainIndex.js?+Math.random() whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/pvc.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/pbbuganjiao.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/left_close.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/shumakuaiyin.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zhijia.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/zhijia.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbbaozhuanghe.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/wutanliandan.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/app.jpg whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/main2.jpg whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/moqieyingka.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbxinfeng.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/tab-close.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/main.js?+Math.random() whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/diaopai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/zbbianqian.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/Toolbar/menu_bg.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/public.js?+Math.random() whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/logo/xinfeng.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/favMan.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/taili.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/initcity.v2.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/JavaScript/langSub.js whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/items/main.html whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/css/help.css whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/css/chromestyle.css whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/shouwandai.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/jingzhuanghe.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
http://www.ysbaojia.com:88/web/images/ilist/pbbianqian.gif whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
ip.ws.126.net whois	Guangzhou NetEase Computer System Co., Ltd.	59.111.181.52	clean
www.ysbaojia.com whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean
59.111.181.52 whois	Guangzhou NetEase Computer System Co., Ltd.	59.111.181.52	clean
120.77.146.229 whois	Hangzhou Alibaba Advertising Co.,Ltd.	120.77.146.229	clean

Suricata ids

PE API

IAT(Import Address Table) Library

MSVBVM60.DLL
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c __vbaLateIdCall
0x401010 __vbaFreeVarList
0x401014 _adj_fdiv_m64
0x401018 _adj_fprem1
0x40101c __vbaHresultCheckObj
0x401020 _adj_fdiv_m32
0x401024 __vbaAryDestruct
0x401028 __vbaLateMemSt
0x40102c __vbaForEachCollObj
0x401030 __vbaOnError
0x401034 __vbaObjSet
0x401038 _adj_fdiv_m16i
0x40103c _adj_fdivr_m16i
0x401040 _CIsin
0x401044 __vbaNextEachCollObj
0x401048 None
0x40104c __vbaChkstk
0x401050 __vbaCyVar
0x401054 EVENT_SINK_AddRef
0x401058 __vbaGenerateBoundsError
0x40105c __vbaAryConstruct2
0x401060 __vbaVarLateMemSt
0x401064 _adj_fpatan
0x401068 __vbaLateIdCallLd
0x40106c __vbaR8Cy
0x401070 EVENT_SINK_Release
0x401074 _CIsqrt
0x401078 EVENT_SINK_QueryInterface
0x40107c __vbaExceptHandler
0x401080 _adj_fprem
0x401084 _adj_fdivr_m64
0x401088 __vbaFPException
0x40108c __vbaInStrVar
0x401090 __vbaVarCat
0x401094 _CIlog
0x401098 __vbaErrorOverflow
0x40109c __vbaNew2
0x4010a0 _adj_fdiv_m32i
0x4010a4 _adj_fdivr_m32i
0x4010a8 _adj_fdivr_m32
0x4010ac __vbaR8Var
0x4010b0 _adj_fdiv_r
0x4010b4 None
0x4010b8 __vbaI4Var
0x4010bc __vbaLateMemCall
0x4010c0 __vbaFpI4
0x4010c4 __vbaLateMemCallLd
0x4010c8 _CIatan
0x4010cc __vbaCastObj
0x4010d0 _allmul
0x4010d4 _CItan
0x4010d8 _CIexp
0x4010dc __vbaFreeObj

EAT(Export Address Table) is none

Report - downfile.asp

Signature (11cnts)

Rules (4cnts)

Network (96cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure