Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.06.07 07:40	Machine	s1_win7_x6403
Filename	Installer.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	5	Behavior Score	2.4
ZERO API	file : clean
VT API (file)	32 detected (Malicious, score, Artemis, ABTrojan, NOOJ, Attribute, HighConfidence, moderate confidence, a variant of Generik, GBPWGOK, Sharik, GenericKD, XPACK, 2JINIY, Sabsik, Casdet, Detected, unsafe, Chgt, CLOUD, PossibleThreat, ZexaF, rx2@aSHzUKhi, confidence)
md5	38b258c567b378058ac5cad63ab59584
sha256	686495bd2f04f2402b3543efd574a707caac0003dd682909db87da286173e771
ssdeep	98304:jgYLkFZCB1bZZ68WY2V0FR0NupgokfAGzeV77+tl:jgYLkFZCB1bZZ68WY2Vz8ppkfhzet+r
imphash	6014bca529f51ea59e3dfde00eb5ba7d
impfuzzy	3:sse0JSxKW/MKL8ssO7Sx3+l0+xJaOJafcAVQrvoSWLcvbsh0zJzslFJOYAJcRTSw:/lGMKlFYTQ0cvbpmzlT6QhAS

Network IP location

Signature (5cnts)

Level	Description
danger	File has been identified by 32 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks if process is being debugged by a debugger

Rules (4cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (22cnts) ?

Request	ASN Co	IP4	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.67.53.27	clean
http://www.gstatic.com/generate_204 whois	GOOGLE	172.217.161.195	clean
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/n3xmszuzmcp4pxq3qhmant63nm_9.45.0/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.45.0_all_ecp3yewcq3fuvht5wyi7t7s37y.crx3 whois	GOOGLE	34.104.35.123	clean
http://clients2.google.com/time/1/current?cup2key=4:3591542034&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 whois	GOOGLE	142.250.206.238	clean
edgedl.me.gvt1.com whois	GOOGLE	34.104.35.123	clean
www.google.com whois	GOOGLE	142.250.207.100	clean
www.gstatic.com whois	GOOGLE	142.250.207.99	clean
cdn.stubdownloader.services.mozilla.com whois	GOOGLE	34.120.48.173	clean
fonts.googleapis.com whois	GOOGLE	142.250.206.202	clean
accounts.google.com whois	GOOGLE	172.217.25.173	clean
_googlecast._tcp.local whois			clean
fonts.gstatic.com whois	GOOGLE	142.250.206.227	clean
apis.google.com whois	GOOGLE	142.250.76.142	clean
142.251.220.67 whois	GOOGLE	142.251.220.67	clean
142.250.204.142 whois	GOOGLE	142.250.204.142	clean
142.250.204.36 whois	GOOGLE	142.250.204.36	clean
216.58.200.237 whois	GOOGLE	216.58.200.237	clean
121.254.136.27 whois	LG DACOM Corporation	121.254.136.27	clean
34.104.35.123 whois	GOOGLE	34.104.35.123	clean
34.120.48.173 whois	GOOGLE	34.120.48.173	clean
142.251.222.195 whois	GOOGLE	142.251.222.195	clean
172.217.25.10 whois	GOOGLE	172.217.25.10	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x54b000 CreateFileW
0x54b004 GetFileInformationByHandle
0x54b008 GetFileSize
0x54b00c SetEndOfFile
0x54b010 SetFilePointer
0x54b014 IsProcessorFeaturePresent
0x54b018 GetVersion
0x54b01c DeleteAtom
0x54b020 AddAtomW
0x54b024 FindAtomW
0x54b028 GetAtomNameW

EAT(Export Address Table) is none

Report - Installer.exe

Signature (5cnts)

Rules (4cnts)

Network (22cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure