Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.10.19 08:00	Machine	s1_win7_x6401
Filename	Ads.exe
Type	PE32+ executable (GUI) x86-64, for MS Windows
AI Score	3	Behavior Score	13.2
ZERO API	file : malware
VT API (file)	36 detected (AIDetectMalware, GenericKD, Artemis, malicious, confidence, Attribute, HighConfidence, GenKryptik, GPCL, score, Stealerc, PWSX, Nekark, wnzrz, DownLoader46, VSNTJI23, Detected, ai score=87, Casdet, Glupteba, unsafe, Chgt, Kryptik, 75OIvYcHgzD, Krypt, GMLD)
md5	6e781cf49af81b961d0ab465210a35f8
sha256	b7980abb0fbb1e27c9dfd24f2d36891986e3325b2596fff09baa3904830eac0c
ssdeep	24576:nlP+gGRPlVlmClblzNj9ZmT5/Za866njeXTJbrn0fatsse:lP+bxlVzlZNjvG/IjlrsQxe
imphash	9d73eabc1296af162ac6ff5d06072544
impfuzzy	6:o41wT3WTD1Fz8ID9Iay4PMtsUdRlYlFBJAEoZ/OEGDzyRdwi/QKRn:o4MuD1Fwlay4PKrlYjABZG/Dzkwi9Rn

Network IP location

Signature (26cnts)

Level	Description
danger	Executed a process and injected code into it
danger	File has been identified by 36 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Detects Avast Antivirus through the presence of a library
watch	Drops a binary and executes it
watch	Installs itself for autorun at Windows startup
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (19cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE64	(no description)	binaries (download)
info	IsPE64	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (40cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.209.95.50		clean
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 whois	OPERASOFTWARE	107.167.110.216		clean
http://gobo02fc.top/build.exe whois	Trader soft LLC	85.143.220.63		clean
http://85.217.144.143/files/My2.exe whois		85.217.144.143	34643	malware
http://galandskiyher5.com/downloads/toolspub1.exe whois		194.169.175.127		clean
https://grabyourpizza.com/7a54bdb20779c4359694feaa1398dd25.exe whois	CLOUDFLARENET	172.67.197.174		malware
https://pastebin.com/raw/xYhKBupz whois	CLOUDFLARENET	104.20.67.143	36780	mailcious
https://diplodoka.net/4d1aaeb879448e5236e36d2209b40d34/7a54bdb20779c4359694feaa1398dd25.exe whois	CLOUDFLARENET	172.67.217.52		clean
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 whois	OPERASOFTWARE	107.167.110.216		clean
https://potatogoose.com/4d1aaeb879448e5236e36d2209b40d34/baf14778c246e15550645e30ba78ce1c.exe whois	CLOUDFLARENET	172.67.180.173		clean
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe whois	CLOUDFLARENET	172.67.216.81	36783	malware
pastebin.com whois	CLOUDFLARENET	172.67.34.170		mailcious
diplodoka.net whois	CLOUDFLARENET	104.21.78.56		clean
net.geo.opera.com whois	OPERASOFTWARE	107.167.110.211		clean
gobo02fc.top whois	Trader soft LLC	85.143.220.63		clean
laubenstein.space whois	Beget LLC	45.130.41.101		mailcious
flyawayaero.net whois	CLOUDFLARENET	172.67.216.81		malware
yip.su whois	Hetzner Online GmbH	148.251.234.93		mailcious
grabyourpizza.com whois	CLOUDFLARENET	172.67.197.174		malware
galandskiyher5.com whois		194.169.175.127		malware
potatogoose.com whois	CLOUDFLARENET	172.67.180.173		clean
darianentertainment.com whois	ALABANZA-BALT	65.109.26.240		clean
lycheepanel.info whois	CLOUDFLARENET	104.21.32.208		malware
pool.hashvault.pro whois	PhoenixNAP	131.153.76.130		mailcious
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
85.217.144.143 whois		85.217.144.143		malware
172.67.216.81 whois	CLOUDFLARENET	172.67.216.81		malware
107.167.110.216 whois	OPERASOFTWARE	107.167.110.216		clean
85.143.220.63 whois	Trader soft LLC	85.143.220.63		clean
45.130.41.101 whois	Beget LLC	45.130.41.101		mailcious
194.169.175.127 whois		194.169.175.127		malware
172.67.217.52 whois	CLOUDFLARENET	172.67.217.52		malware
104.21.32.208 whois	CLOUDFLARENET	104.21.32.208		malware
172.67.180.173 whois	CLOUDFLARENET	172.67.180.173		clean
162.159.135.233 whois		162.159.135.233		malware
172.67.197.174 whois	CLOUDFLARENET	172.67.197.174		clean
104.20.67.143 whois	CLOUDFLARENET	104.20.67.143		mailcious
65.109.26.240 whois	ALABANZA-BALT	65.109.26.240		mailcious
23.67.53.27 whois	Akamai International B.V.	23.67.53.27		clean
131.153.76.130 whois	PhoenixNAP	131.153.76.130		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x1404260f0 EventWrite
api-ms-win-crt-heap-l1-1-0.dll
0x140426100 free
api-ms-win-crt-locale-l1-1-0.dll
0x140426110 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140426120 tan
api-ms-win-crt-runtime-l1-1-0.dll
0x140426130 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140426140 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x140426150 strcmp
crypt.dll
0x140426160 BCryptDecrypt
KERNEL32.DLL
0x140426170 LoadLibraryA
0x140426178 ExitProcess
0x140426180 GetProcAddress
0x140426188 VirtualProtect
ole32.dll
0x140426198 CoCreateGuid
USER32.dll
0x1404261a8 LoadStringW

EAT(Export Address Table) is none

Report - Ads.exe

Signature (26cnts)

Rules (19cnts)

Network (40cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure