Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.10.24 10:03	Machine	s1_win7_x6402
Filename	setup.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	4.2
ZERO API	file : malware
VT API (file)
md5	4c65dedbb73fbb8d9daae8179d67082b
sha256	9a5025b7f0b5c3895150736fb3382da2b0a38c98d88dcff02542ea4c08cbe2d9
ssdeep	98304:JIMLsM6SwKiLUZgpuLHhPriCT7s+8Q19f6yg0ljxfFX:5r6pANiCMG19Hg0ljJV
imphash
impfuzzy

Network IP location

Signature (11cnts)

Level	Description
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (22cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://94.142.138.131/api/firegate.php whois	Ihor Hosting LLC	94.142.138.131	32650	mailcious
http://94.142.138.131/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.131	28311	mailcious
http://dannyleagy.fun/api whois	CLOUDFLARENET	172.67.191.137		clean
http://volkels.fun/api whois	CLOUDFLARENET	172.67.163.133		clean
https://volkels.fun/api whois	CLOUDFLARENET	172.67.163.133		clean
https://psv4.userapi.com/c909328/u52355237/docs/d47/c541f110e091/Installation.bmp?extra=UgwBGkMcfjcRXxJpAN_ASDuA0Ulq2C1OYolHMcvZH2Z240wWgFPur2bYY2ipG1c__XCmg7VaCVjAHzDdCrA1S8XNsrR_lsV0QDzjRvhM0brwyhjZhKAOz1A4_7Q9pVPYoNMU8ICt2QCICYFC whois	VKontakte Ltd	87.240.190.89		clean
https://vk.com/doc52355237_667317398?hash=Nzo9Lpy2lnkLk0e9i3sM5Q7Rmhu0skEqTijVFqSmRV4&dl=zTGHW6YEQC0elKjKTCqYaLRzYnULI1fc07ZVd4bICGH&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		clean
https://api.myip.com/ whois	CLOUDFLARENET	172.67.75.163		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		mailcious
psv4.userapi.com whois	VKontakte Ltd	87.240.190.89		clean
api.myip.com whois	CLOUDFLARENET	172.67.75.163		clean
ipinfo.io whois	GOOGLE	34.117.59.81		clean
dannyleagy.fun whois	CLOUDFLARENET	104.21.92.100		clean
volkels.fun whois	CLOUDFLARENET	104.21.42.158		clean
vk.com whois	VKontakte Ltd	87.240.132.67		mailcious
104.21.92.100 whois	CLOUDFLARENET	104.21.92.100		mailcious
172.67.163.133 whois	CLOUDFLARENET	172.67.163.133		malware
172.67.75.163 whois	CLOUDFLARENET	172.67.75.163		clean
87.240.190.89 whois	VKontakte Ltd	87.240.190.89		clean
87.240.129.133 whois	VKontakte Ltd	87.240.129.133		mailcious
94.142.138.131 whois	Ihor Hosting LLC	94.142.138.131		mailcious
34.117.59.81 whois	GOOGLE	34.117.59.81		clean

Report - setup.7z

Signature (11cnts)

Rules (11cnts)

Network (22cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure