Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.08.28 09:43	Machine	s1_win7_x6402
Filename	File_pass1234.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	7.0
ZERO API	file : clean
VT API (file)	1 detected ()
md5	134ceb06f8f77fcdb5dedf95f32a3f27
sha256	c6583b41756cd7f0b0b18516d42a75f14190e7724bd0f32346619382062b920e
ssdeep	393216:qIvUueWhkh+ZzDOypOu5q9q2tIP5tW92ASeOkWJCzamKlCw6bCV:qIKW+h+ZPOOJqo2OP5tH2WJCiTBV
imphash
impfuzzy

Network IP location

Signature (15cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice	Connects to a Dynamic DNS Domain
notice	File has been identified by one AntiVirus engine on VirusTotal as malicious
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (90cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://208.67.104.60/api/firegate.php whois		208.67.104.60	34253	mailcious
http://208.67.104.60/api/tracemap.php whois		208.67.104.60	28876	mailcious
http://193.233.254.61/loghub/master whois	OOO FREEnet Group	193.233.254.61	35736	mailcious
http://45.9.74.80/super.exe whois		45.9.74.80		malware
http://230809204625331.nes.dtf99.top/f/fikim0809331.exe whois	Belcloud LTD	94.156.35.76		clean
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://77.91.124.231/info/img0581.exe whois	Foton Telecom CJSC	77.91.124.231	35986	malware
http://autorun.ddns.net/autorun.exe whois		194.169.175.232		malware
http://176.113.115.84:8080/4.php whois	OOO Network of data-centers Selectel	176.113.115.84	34795	mailcious
http://jjz.alie3ksgbb.com/m/iela2f5.exe whois	CLOUDFLARENET	104.21.90.117	36007	malware
http://87.121.221.58/g.exe whois		87.121.221.58	35764	malware
http://45.15.156.229/api/firegate.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.67.53.27		clean
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.18.146.235		clean
http://45.9.74.80/0bjdn2Z/index.php whois		45.9.74.80	26790	mailcious
http://45.9.74.80/loa.exe whois		45.9.74.80		malware
http://45.9.74.80/toolspub2.exe whois		45.9.74.80		malware
https://busell.store/setup294.exe whois	CLOUDFLARENET	104.21.9.89	35772	malware
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-20.userapi.com/c240331/u44017378/docs/d44/4a7d1471c416/RazerSynapse.bmp?extra=cN1Ah5ycB0omDx2FAikyNuYCqqszKvg5NBZJDmMD6HRQxbVzQbkLFTHETnx3i1hANoppE7iqkUrkKQtOQRPtkScZhENAh3LCvnuUSp-j8zDG-Cvg9M6IK8a17l-939_WI4KPzI7sBWuITe1s whois	VKontakte Ltd	95.142.206.0		clean
https://sun6-23.userapi.com/c237131/u44017378/docs/d8/804100308acb/crypted.bmp?extra=YdWzxtefQjhAn2En8yMf52BVIWQ1zDpTGnqIQV8H-oovyZAD987-RJUW7gg_f88GbltLuEEDnvBy7hYICJjBzLy3mUu_gNG3r-H83JNo8km9DJT6vRIbrJJSEyZFo5UVa2zp0-t91ahX0NLI whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc44017378_668355890?hash=OEXurxHv742cAEINPwUZWBvCkIvq2mo3gMKCk9mNEZz&dl=FcEr7W2vNSUK3rRVQ2uwXb1BnszbBNaV1N06orQc1Os&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc44017378_668304193?hash=9nKZ2LbJrWZTaSMoxOyzGdzdzVswMLVAELDqvF4WUzc&dl=8uKyjO7RLaL9aj2kQjAN7XRk3OAYJZ3SL1dkc9tNpxc&api=1&no_preview=1#WW1 whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc44017378_668305087?hash=TuocKpTKJDaGHrC0HTDbLSAP7ILM8xAQgYNUm78Bmgc&dl=pQmbc6zVZsxint9VqlO9DcFBndvLOtSqeXbOXCsW4yo&api=1&no_preview=1#start whois	VKontakte Ltd	93.186.225.194		clean
https://sun6-23.userapi.com/c909228/u44017378/docs/d31/031a419a08d3/x.bmp?extra=dePDDxM4DGeRjT25CPSd9Ct_rh4XuSy3bDoQT210esXvzYUkXxOVYuGMvFWgtBzuVzB3Pu96kIXJMM6wkMMmcUYG__1Vlk_pw8FQ7gzlKceZLiq9Eqem8GfM2a6kPvhxYu11_xbkARdYZv5A whois	VKontakte Ltd	95.142.206.3		clean
https://db-ip.com/demo/home.php?s=175.208.134.152 whois	CLOUDFLARENET	104.26.4.15		clean
https://sun6-23.userapi.com/c909628/u44017378/docs/d59/31728cb37cde/RisePro_0_5_eM6kP0V0t0TJM31LPkFZ.bmp?extra=8qyEsehyUDi_2xlj_ansoERclQ9Xci7OMgY_Z_dhC3sYp7lSaoe-hwps_VpYFHUZgKttlij0IkBys8yBQrRUN5ckgRxTLEt4x2H7QR9_t0L9p2MEQT46O4gRs1cifsBGFjn9PEomMPopTUT7 whois	VKontakte Ltd	95.142.206.3		clean
https://db-ip.com/ whois	CLOUDFLARENET	104.26.4.15		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://vk.com/doc44017378_668379524?hash=SHDy8F6MTaslV7hf9Z9WkzT8bkNJZOA2fSyjKD1YdDo&dl=mK8EYpCb4aWgpHrL7FEXpgLAT0BAaZgxM86wS4u0thT&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.5.15		clean
https://sun6-22.userapi.com/c240331/u44017378/docs/d46/42e54d223ac0/WWW1.bmp?extra=z3ACIIJGvpBq0HIjNutA06MbTxxpx-3FTjAItWDCFPURzTU-Elofrz0yjYDQ-Y0cKAOty0-j-qZ4D9-iRxHB4fbGo-ZGq2MO7TmgEksuA_yPzC1cH8cIReEGVuYFWKNHeD38LYYVpq6zZwr1 whois	VKontakte Ltd	95.142.206.2		clean
https://sun6-21.userapi.com/c909218/u44017378/docs/d2/a123e4d9467e/tmvwr.bmp?extra=dw3ig29aP3yneS_TLS58bIOpD3nvHS4hyj20IHzV4auTqlcYk7B3PTmG39G-DIsuZibYbb5DJwmuYhj-eeAZU_akb9ZZdKKH3i2dbrzniwCU6siKujeSKY42r-Yjhvn2HFKIbVb7ik8qBPQk whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-20.userapi.com/c909618/u44017378/docs/d44/659cbd3e52a9/PL43464.bmp?extra=wK-OoZtI3J9ssAzreYk1kKj_zykQJOvu-BbinFwgrI900hXBuZG5_zEBcLVat0Mc2xdZYmHMPnynVNnjTwIJFL5e_3907MFu9oh5yOz8DYWjl4htBLKmXxGD66TLBh3cc_hNK4vbUGcr99qq whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc44017378_668405935?hash=fvMGzddKGZ3CmaEa4ShIsqcaZmrdOzO4ZYwVyqVeuP4&dl=A1sZp5keQgwnZnnluDo5illwFz3gbsy8ItDrxpQJEYX&api=1&no_preview=1#rise whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc44017378_668486332?hash=BhRIDxpzULlbXK2tKkcXiuoUkEN2dwCkZOYOzQcmo7H&dl=FDJjPlpT0sFHWyDa952v0WGrE3O4diq55i6OiBzVvCP&api=1&no_preview=1#tmwvr whois	VKontakte Ltd	87.240.132.72		clean
https://vk.com/doc44017378_668469133?hash=BzAyBtoTQmQ0uUkT34inVefZZZfjSHGwzjfnXF9K9IP&dl=Y4YNowZZspOPNeFf2KoJiZEZDeoxookrqRltEutjAJL&api=1&no_preview=1#1 whois	VKontakte Ltd	93.186.225.194		clean
230809204625331.nes.dtf99.top whois	Belcloud LTD	94.156.35.76		clean
db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
api.db-ip.com whois	CLOUDFLARENET	104.26.5.15		clean
iplis.ru whois	Hetzner Online GmbH	148.251.234.93		mailcious
www.maxmind.com whois	CLOUDFLARENET	104.18.145.235		clean
busell.store whois	CLOUDFLARENET	172.67.159.178		malware
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
vanaheim.cn whois	IQHost Ltd	193.106.174.130		mailcious
z.nnnaajjjgc.com whois	HK Kwaifong Group Limited	156.236.72.121		malware
sun6-22.userapi.com whois	VKontakte Ltd	95.142.206.2		clean
autorun.ddns.net whois		194.169.175.232		malware
api.myip.com whois	CLOUDFLARENET	172.67.75.163		clean
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		clean
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
jjz.alie3ksgbb.com whois	CLOUDFLARENET	172.67.200.102		malware
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
vk.com whois	VKontakte Ltd	93.186.225.194		mailcious
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
194.169.175.128 whois		194.169.175.128		mailcious
104.18.145.235 whois	CLOUDFLARENET	104.18.145.235		clean
93.186.225.194 whois	VKontakte Ltd	93.186.225.194		mailcious
104.21.9.89 whois	CLOUDFLARENET	104.21.9.89		malware
104.26.5.15 whois	CLOUDFLARENET	104.26.5.15		clean
179.43.158.2 whois	Private Layer INC	179.43.158.2		clean
208.67.104.60 whois		208.67.104.60		mailcious
172.67.200.102 whois	CLOUDFLARENET	172.67.200.102		clean
87.121.221.58 whois		87.121.221.58		malware
121.254.136.9 whois	LG DACOM Corporation	121.254.136.9		clean
172.67.75.163 whois	CLOUDFLARENET	172.67.75.163		clean
193.233.254.61 whois	OOO FREEnet Group	193.233.254.61		mailcious
194.26.135.162 whois		194.26.135.162		mailcious
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
176.113.115.84 whois	OOO Network of data-centers Selectel	176.113.115.84		mailcious
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
193.106.174.130 whois	IQHost Ltd	193.106.174.130		clean
45.9.74.80 whois		45.9.74.80		malware
194.169.175.232 whois		194.169.175.232		malware
176.123.9.142 whois	Alexhost Srl	176.123.9.142		mailcious
77.91.124.231 whois	Foton Telecom CJSC	77.91.124.231		malware
185.225.73.32 whois	Mayak Smart Services Ltd.	185.225.73.32		mailcious
149.202.0.242 whois	OVH SAS	149.202.0.242		mailcious
156.236.72.121 whois	HK Kwaifong Group Limited	156.236.72.121		mailcious
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
104.26.4.15 whois	CLOUDFLARENET	104.26.4.15		clean
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		clean
163.123.143.4 whois		163.123.143.4		mailcious
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
95.142.206.2 whois	VKontakte Ltd	95.142.206.2		clean
62.122.184.58 whois		62.122.184.58		clean
87.240.132.72 whois	VKontakte Ltd	87.240.132.72		mailcious

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 39
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY DNS Query to DynDNS Domain *.ddns .net
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
ET INFO EXE - Served Attached HTTP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET DNS Query to a *.top domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Dshield Block Listed Source group 1
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2

Report - File_pass1234.7z

Signature (15cnts)

Rules (11cnts)

Network (90cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure