Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.09.20 18:00	Machine	s1_win7_x6401
Filename	TiWorker.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	8	Behavior Score	4.0
ZERO API	file : malware
VT API (file)	53 detected (Common, Noon, Razy, Formbook, Vt2t, malicious, confidence, 100%, GenusT, DRMH, Eldorado, Attribute, HighConfidence, high confidence, score, PWSX, Fajl, ZPACK, Packed2, R002C0DIH23, high, Static AI, Malicious PE, ai score=89, GrayWare, X2184, GenericRXVJ, General, unsafe, Chgt, Digitala, 4bkQNC3KfED)
md5	9809924a1fb0082898813c23dbc84b24
sha256	8183f3d03aabd24f00a14cdf4bd6e88c946bc3d2a17ed2368792426d32783e55
ssdeep	3072:OPUq+jL3rWh716RfGYSeK95YWX2PaAlN4eT0FNaP0hBUxY3rC8XG4t7hXs+cCk3X:4K/3rUJYSx95YBfSrF8OaiusG6hXs/H
imphash
impfuzzy	3::

Network IP location

Signature (8cnts)

Level	Description
danger	File has been identified by 53 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (45cnts) ?

Request	ASN Co	IP4	ZERO ?
http://www.palatepursuits.cfd/kniu/ whois	CLOUDFLARENET	172.67.196.133	clean
http://www.poultry-symposium.com/kniu/?zM2u=40XX9Ytbs/otsI+0yUtAogrXy8SgXZWV889z9rydVcgoc+JCy8vgR1icdWU6u94Njq5xrtv7NQnpOX1iusCyLYuLxlHkdapdsh1Ymak=&r8LF=ldF1y4FXSVpJ whois	Nazwa.pl Sp.z.o.o.	85.128.134.237	clean
http://www.xxkxcfkujyeft.xyz/kniu/ whois	MULTA-ASN1	216.240.130.67	clean
http://www.tsygy.com/kniu/?zM2u=bJ36cMi4kupHJe0Hctq9gMewB+uvjmGDqwrfSqfgcqRhOtXAC1zMZIlHhDCyIhSJCFAYjWOLktx1yjWN3ai585tt7uX+B1FmFo0jbF0=&r8LF=ldF1y4FXSVpJ whois	LEASEWEB-USA-LAX-11	23.104.137.185	clean
http://www.flyingfoxnb.com/kniu/?zM2u=2khzscf+uoNd4qXDJMvMlsCGRf74adwr4dCZmsSaM5bi7vY8OWwGY+oUQIQbfdmtzbAFku/2CGFb1XO6VHKJWfD6Hx+uzWgInko6T2A=&r8LF=ldF1y4FXSVpJ whois	TUCOWS	216.40.34.41	clean
http://www.poultry-symposium.com/kniu/ whois	Nazwa.pl Sp.z.o.o.	85.128.134.237	clean
http://www.siteapp.fun/kniu/?zM2u=6sBKYXqHQWHKIO2IG+2EqtcAj7thqVpOenJ3Aw9YNEL5O7rEWmoX1sx8Xe3NA3a7pLf2GEiO8AkwTW2yzvekojaHRlDYosZEDLTR5OQ=&r8LF=ldF1y4FXSVpJ whois	LEASEWEB-USA-WDC	23.82.12.35	clean
http://www.flyingfoxnb.com/kniu/ whois	TUCOWS	216.40.34.41	clean
http://www.xxkxcfkujyeft.xyz/kniu/?zM2u=i0HwDxosD6vP35vKxXt8TqB5hgt09UAmGu6yXsGJ7KHeDbKCAxtr8kYkpXafqSJ5CWKS4JQhNIcZa2fBS8/HEz0POFGF5EDYOp/zgDU=&r8LF=ldF1y4FXSVpJ whois	MULTA-ASN1	216.240.130.67	clean
http://www.frefire.top/kniu/ whois	VIMRO-AS15189	67.223.117.37	clean
http://www.siteapp.fun/kniu/ whois	LEASEWEB-USA-WDC	23.82.12.35	clean
http://www.prosourcegraniteinc.com/kniu/ whois	GOOGLE	216.239.36.21	clean
http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip whois	Linode, LLC	45.33.6.223	clean
http://www.theartboxslidell.com/kniu/ whois		199.59.243.224	clean
http://www.palatepursuits.cfd/kniu/?zM2u=hbIoOV/dmdXO2xpIn07o59QoAXcFh8OwL7wE3CCbwPL4DaTNKf4A6Fx93MICWs67Kq9ozN+vd0WYpt+cGdGxDSTpWz7Z0RqHqaDgDUU=&r8LF=ldF1y4FXSVpJ whois	CLOUDFLARENET	172.67.196.133	clean
http://www.prosourcegraniteinc.com/kniu/?zM2u=9xFgCh3s8l/k2B8O7aAt9yPceR5ZLMimGcu4Dy10KR8z2IhjbkPtetaY6rVQOSuqKBOJhR+SeENFOh5XwKmANMDhEFCrb4byHJuvuWU=&r8LF=ldF1y4FXSVpJ whois	GOOGLE	216.239.36.21	clean
http://www.theartboxslidell.com/kniu/?zM2u=pbzwZ3uv6ZLNK9kOZcORaqCkpmWHCySL5KPRtIvuGjYxhe5HL3eyc57X4ozDsIqy99XGgcN1QrQuWuftpLGszPSRgY0zgb673Mjl5VE=&r8LF=ldF1y4FXSVpJ whois		199.59.243.224	clean
http://www.tsygy.com/kniu/ whois	LEASEWEB-USA-LAX-11	23.104.137.185	clean
http://www.onlyleona.com/kniu/ whois	CLOUDFLARENET	104.21.13.143	clean
http://www.onlyleona.com/kniu/?zM2u=eul8o7FRTpzZYv+GqkkzOpE5tEZO7cuUa8jf7YGp4uFOB2eW2y1ALY7ycZgKlFf7jddzg63rMJOPKD43r6dZxMpJnJONv2M7MFgI8Mw=&r8LF=ldF1y4FXSVpJ whois	CLOUDFLARENET	104.21.13.143	clean
http://www.frefire.top/kniu/?zM2u=w8rKBuSUIg6smCThP+RZr8URK2cMAOxRwdqHG6Uo67OOMeio1zBa/jWrwyXT3+M/9aqTr1N41d9bzE5WN9beyeWExgAtk5mD8L1zbeQ=&r8LF=ldF1y4FXSVpJ whois	VIMRO-AS15189	67.223.117.37	clean
www.palatepursuits.cfd whois	CLOUDFLARENET	104.21.21.57	clean
www.onlyleona.com whois	CLOUDFLARENET	172.67.132.228	clean
www.prosourcegraniteinc.com whois	GOOGLE	216.239.38.21	clean
www.pengeloladata.click whois			clean
www.xxkxcfkujyeft.xyz whois	MULTA-ASN1	216.240.130.67	clean
www.theartboxslidell.com whois		199.59.243.224	clean
www.8956kjw1.com whois	LEMON TELECOMMUNICATIONS LIMITED	103.71.154.244	clean
www.frefire.top whois	VIMRO-AS15189	67.223.117.37	clean
www.tsygy.com whois	LEASEWEB-USA-LAX-11	23.104.137.185	mailcious
www.poultry-symposium.com whois	Nazwa.pl Sp.z.o.o.	85.128.134.237	clean
www.flyingfoxnb.com whois	TUCOWS	216.40.34.41	clean
www.siteapp.fun whois	LEASEWEB-USA-WDC	23.82.12.35	clean
85.128.134.237 whois	Nazwa.pl Sp.z.o.o.	85.128.134.237	clean
81.171.28.43 whois	LeaseWeb Netherlands B.V.	81.171.28.43	clean
104.21.13.143 whois	CLOUDFLARENET	104.21.13.143	clean
199.59.243.224 whois		199.59.243.224	mailcious
23.104.137.185 whois	LEASEWEB-USA-LAX-11	23.104.137.185	mailcious
67.223.117.37 whois	VIMRO-AS15189	67.223.117.37	clean
216.40.34.41 whois	TUCOWS	216.40.34.41	mailcious
216.240.130.67 whois	MULTA-ASN1	216.240.130.67	mailcious
103.71.154.244 whois	LEMON TELECOMMUNICATIONS LIMITED	103.71.154.244	clean
104.21.21.57 whois	CLOUDFLARENET	104.21.21.57	clean
216.239.36.21 whois	GOOGLE	216.239.36.21	phishing
45.33.6.223 whois	Linode, LLC	45.33.6.223	clean

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none

Report - TiWorker.exe

Signature (8cnts)

Rules (3cnts)

Network (45cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure