Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.06.02 18:43	Machine	s1_win7_x6402
Filename	File_pass1234.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	7.6
ZERO API	file : clean
VT API (file)
md5	63e2ad5f5f1466a924b0c77048dcc60a
sha256	23fb85714c79c4acf328e379128025ee17eca8f57d8a58d47da6d821d5f70737
ssdeep	98304:fg7CCMx7RpUpyVLUNqeTZTgl4PAzIrjfs8LRfmxKf0cmHs8nL7PmX4G7N:feex7RpDUNNTZtIMrjfBxq2TmHs8nfPM
imphash
impfuzzy

Network IP location

Signature (15cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (54cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://77.91.68.62/DSC01491/fotocr06.exe whois	Foton Telecom CJSC	77.91.68.62	33774	malware
http://hugersi.com/dl/6523.exe whois	Petersburg Internet Network ltd.	91.215.85.147	32660	malware
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://85.208.136.10/api/firegate.php whois	CMCS	85.208.136.10	32663	mailcious
http://77.91.68.62/wings/game/index.php whois	Foton Telecom CJSC	77.91.68.62	33726	mailcious
http://77.91.68.62/DSC01491/foto148.exe whois	Foton Telecom CJSC	77.91.68.62	33773	malware
http://95.214.25.234:3002/ whois	CMCS	95.214.25.234		malware
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.17.215.67		clean
http://ji.jahhaega2qq.com/m/p0aw25.exe whois	CLOUDFLARENET	172.67.182.87	33779	malware
http://83.97.73.128/gallery/photo430.exe whois	Limitless Mobile GmbH	83.97.73.128		malware
http://85.208.136.10/api/tracemap.php whois	CMCS	85.208.136.10	32662	mailcious
https://vk.com/doc800513317_661831941?hash=kC1U4OLCAYMUhVtMfoutYSzDrY3EsJWFVrzp6QPGPus&dl=7914u1IpemjZrAZ1e75d2G0XzBQ90WsmERXsgDjYTgL&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		clean
https://vk.com/doc791620691_664833875?hash=u7gA1WPz7GZN7R6AsWfNRszp1EhXac8b6J8qQmORXow&dl=ZMktHzYCzZ9XDvxi97D73YkXsVJJPzzGWy3sWU7JhpD&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	87.240.129.133		mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.5.15		clean
https://db-ip.com/ whois	CLOUDFLARENET	104.26.5.15		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		mailcious
https://sun6-21.userapi.com/c240331/u800513317/docs/d20/68fdb46e6c52/PMp123a.bmp?extra=NpfI2Dmo18FSvnw9T36Up24KS6_b4xAj555TPlBXx7f1gghfzgQxuitnRimxvAErJEpvGtGIoG-YQq9vQBMSizlupZ5BBN9Y1OQO1yi9XJumXNbdQfkbjdQgwb0ahuj6CKQIfHe1nBetrUbQww whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_664710492?hash=j27Vxz0stfSxJXNlzmz602vSgZ0IXBoi9ZZq9syJVkT&dl=Sw3eQffdQH4eEi2robhrPmVXjMf9ExmZT9V02woFQ2k&api=1&no_preview=1#WW1 whois	VKontakte Ltd	87.240.129.133		clean
https://sun6-23.userapi.com/c235031/u791620691/docs/d33/5cee3fee83b0/WWW1.bmp?extra=9MQFCK9sy0BlFTB0sDmDo892U3wcsqjQnbA_GeW4BLqu0c4KbVa9EBsGMmrM-FhmMiMKZ9rfwHYcXuZqLdVeGZ569kTZQFDf0i9x8EWY85Oc_HUbGDkUIAnfe6_Mfqlaw7ngI48-yWqJWkEN2Q whois	VKontakte Ltd	95.142.206.3		clean
https://sun6-21.userapi.com/c237331/u791620691/docs/d45/31ee3e720154/cloudcosmic.bmp?extra=7z5X_rDygaQP6H7Cl38-7ZanPu_gKgnhQsLZRY0P7SEoIOS9yMw8BKCKqA4tAV0SehxJBNY1gbAR9slw-KYeFhQRbmfIN0uHZPcqXd4VaKR2ssoYGNtLN1_pk3ei4N5cLYakfcK3tEPYrXTNqA whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	87.240.129.133		mailcious
db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
iplis.ru whois	Hetzner Online GmbH	148.251.234.93		mailcious
hugersi.com whois	Petersburg Internet Network ltd.	91.215.85.147		malware
ji.jahhaega2qq.com whois	CLOUDFLARENET	172.67.182.87		malware
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		clean
ipinfo.io whois	GOOGLE	34.117.59.81		clean
www.maxmind.com whois	CLOUDFLARENET	104.17.214.67		clean
api.db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
vk.com whois	VKontakte Ltd	87.240.132.72		mailcious
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
77.91.68.62 whois	Foton Telecom CJSC	77.91.68.62		malware
83.97.73.128 whois	Limitless Mobile GmbH	83.97.73.128		malware
91.215.85.147 whois	Petersburg Internet Network ltd.	91.215.85.147		malware
87.240.129.133 whois	VKontakte Ltd	87.240.129.133		mailcious
104.26.5.15 whois	CLOUDFLARENET	104.26.5.15		clean
83.97.73.127 whois	Limitless Mobile GmbH	83.97.73.127		mailcious
172.67.75.166 whois	CLOUDFLARENET	172.67.75.166		clean
157.254.164.98 whois		157.254.164.98		mailcious
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
172.67.182.87 whois	CLOUDFLARENET	172.67.182.87		malware
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
45.12.253.74 whois	CMCS	45.12.253.74		malware
95.214.25.234 whois	CMCS	95.214.25.234		malware
104.17.214.67 whois	CLOUDFLARENET	104.17.214.67		clean
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		clean
163.123.143.4 whois		163.123.143.4		mailcious
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
85.208.136.10 whois	CMCS	85.208.136.10		mailcious
176.113.115.239 whois	OOO Network of data-centers Selectel	176.113.115.239		malware

Report - File_pass1234.7z

Signature (15cnts)

Rules (11cnts)

Network (54cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure