Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.09.17 16:24	Machine	s1_win7_x6401
Filename	173.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	8	Behavior Score	8.4
ZERO API	file : mailcious
VT API (file)	42 detected (AIDetectMalware, Stealerc, Midie, Artemis, Kryptik, Vymw, malicious, ZexaF, lu0@aazwPxdi, Attribute, HighConfidence, high confidence, HSYN, score, PWSX, Babar, SMOKELOADER, YXDIQZ, high, Static AI, Malicious PE, Reline, ai score=83, Sabsik, Vidar, ASAF, Detected, unsafe, Chgt, R002H0CIG23, e4duRlO0FPI, confidence, 100%)
md5	a7be047e27cfe019ade71a4b347efb00
sha256	8914ea1630012f740ca6a0cf49ae12af8eedf258da990b477bcff2b6afe4fd5d
ssdeep	3072:n6DdURkMVhMsK9Ecy4CESHUYoRHSkWJoF9FwiK:nGURDK99PS0RlWJo+i
imphash	d0d523c12097b517245d838376423429
impfuzzy	24:1DoryPGfjeMjOovb/J3InktsQFQ8RyvDkRT4QfalWgLm:fMCY9ts3DgcQfaI9

Network IP location

Signature (19cnts)

Level	Description
danger	File has been identified by 42 AntiVirus engines on VirusTotal as malicious
watch	Checks the CPU name from registry
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
watch	Harvests credentials from local email clients
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process 173.exe
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Queries for potentially installed applications
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	One or more processes crashed
info	Queries for the computername
info	Tries to locate where the browsers are installed

Rules (13cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (9cnts) ?

Request	ASN Co	IP4	ZERO ?
http://85.209.11.51/5db65a39eefecd5d/softokn3.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/mozglue.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/freebl3.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/nss3.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/fefb4a458e1dc58b.php whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/sqlite3.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/msvcp140.dll whois	SYN LTD	85.209.11.51	clean
http://85.209.11.51/5db65a39eefecd5d/vcruntime140.dll whois	SYN LTD	85.209.11.51	clean
85.209.11.51 whois	SYN LTD	85.209.11.51	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x41200c lstrlenW
0x412010 VirtualProtect
0x412014 GetProcAddress
0x412018 LoadLibraryA
0x41201c VirtualAlloc
0x412020 LockResource
0x412024 LoadResource
0x412028 CreateThread
0x41202c FindResourceW
0x412030 GetModuleHandleW
0x412034 GetLastError
0x412038 CreateMutexA
0x41203c GetModuleHandleA
0x412040 FreeConsole
0x412044 Sleep
0x412048 SizeofResource
0x41204c WaitForSingleObject
0x412050 RtlUnwind
0x412054 RaiseException
0x412058 GetCommandLineA
0x41205c TlsGetValue
0x412060 TlsAlloc
0x412064 TlsSetValue
0x412068 TlsFree
0x41206c InterlockedIncrement
0x412070 SetLastError
0x412074 GetCurrentThreadId
0x412078 InterlockedDecrement
0x41207c HeapFree
0x412080 HeapAlloc
0x412084 TerminateProcess
0x412088 GetCurrentProcess
0x41208c UnhandledExceptionFilter
0x412090 SetUnhandledExceptionFilter
0x412094 IsDebuggerPresent
0x412098 ExitProcess
0x41209c WriteFile
0x4120a0 GetStdHandle
0x4120a4 GetModuleFileNameA
0x4120a8 FreeEnvironmentStringsA
0x4120ac GetEnvironmentStrings
0x4120b0 FreeEnvironmentStringsW
0x4120b4 WideCharToMultiByte
0x4120b8 GetEnvironmentStringsW
0x4120bc SetHandleCount
0x4120c0 GetFileType
0x4120c4 GetStartupInfoA
0x4120c8 DeleteCriticalSection
0x4120cc HeapCreate
0x4120d0 VirtualFree
0x4120d4 QueryPerformanceCounter
0x4120d8 GetTickCount
0x4120dc GetCurrentProcessId
0x4120e0 GetSystemTimeAsFileTime
0x4120e4 GetCPInfo
0x4120e8 GetACP
0x4120ec GetOEMCP
0x4120f0 IsValidCodePage
0x4120f4 LeaveCriticalSection
0x4120f8 EnterCriticalSection
0x4120fc HeapReAlloc
0x412100 HeapSize
0x412104 InitializeCriticalSectionAndSpinCount
0x412108 LCMapStringA
0x41210c MultiByteToWideChar
0x412110 LCMapStringW
0x412114 GetStringTypeA
0x412118 GetStringTypeW
0x41211c GetLocaleInfoA
COMDLG32.dll
0x412000 GetSaveFileNameA
0x412004 GetOpenFileNameA

EAT(Export Address Table) is none

Report - 173.exe

Signature (19cnts)

Rules (13cnts)

Network (9cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure