Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.05.12 02:42	Machine	s1_win7_x6403
Filename	Video.scr
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	10.4
ZERO API	file : mailcious
VT API (file)	48 detected (AIDetectMalware, Crypren, tpW3, Python, unsafe, Miner, Attribute, HighConfidence, malicious, high confidence, Mozi, score, Crytes, hjtpjc, PhotoMiner, CLASSIC, Infected, WebPage, Gen2, Tool, BtcMine, ZexaF, 0nKfaybz@roi, CoinMiner, Bitcoinworm, ai score=100, HeurC, KVM007, Bflient, ~AD2@3d18gh, 113J9WD, Detected, R342010, Phonzy, Bkjl, Static AI, Suspicious PE, BitMiner)
md5	5616a3471565d34d779b5b3d0520bb70
sha256	9194b57673209c8534888f61b0cdefa34f463ae50cd78f72ab2b3348220baaf9
ssdeep	98304:RLbSThOfTCiFBXmfFs+JhEpCVoR8oMEOJ6Ty3RvX+UGD823FUuzmH:tBfTCiUs0VSLOJgyBGUA8Ch8
imphash	91ae93ed3ff0d6f8a4f22d2edd30a58e
impfuzzy	24:Skgwt3aDaODu9Wu9T/2bjar9UltMS1hbJnc+pl3rOovbKlvUIoUTlONoEqMo6iMJ:VgSokR9+tMS1hlc+ppaRNUIpONfiQx

Network IP location

Signature (19cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 48 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
watch	Enumerates services
watch	Installs itself for autorun at Windows startup
watch	Looks for the Windows Idle Time to determine the uptime
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice	Creates a service
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (13cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	Is_DotNET_DLL	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (113cnts) ?

Request	ASN Co	IP4	ZERO ?
http://:21/ whois		0.0.0.0	clean
router.utorrent.com whois	Advania Island ehf	82.221.103.244	clean
xmr.crypto-pool.fr whois			mailcious
router.bittorrent.com whois	ASN-QUADRANET-GLOBAL	67.215.246.10	clean
dht.transmissionbt.com whois	Online S.a.s.	212.129.33.59	clean
bttracker.debian.org whois	Umea University	130.239.18.158	clean
218.91.199.159 whois	Chinanet	218.91.199.159	clean
43.148.209.248 whois		43.148.209.248	clean
207.238.159.149 whois	XO-AS15	207.238.159.149	clean
216.143.85.79 whois	LEVEL3	216.143.85.79	clean
207.231.69.233 whois	SUREWEST	207.231.69.233	clean
99.91.23.244 whois	ATT-INTERNET4	99.91.23.244	clean
133.12.140.4 whois	Research Organization of Information and Systems, National Institute of Informatics	133.12.140.4	clean
27.113.12.88 whois	GREEN CABLE TELEVISION STATION	27.113.12.88	clean
4.222.27.244 whois	LEVEL3	4.222.27.244	clean
38.189.76.249 whois	COGENT-174	38.189.76.249	clean
201.150.207.129 whois	Uninet S.A. de C.V.	201.150.207.129	clean
1.102.136.178 whois	Korea Telecom	1.102.136.178	clean
115.244.115.106 whois		115.244.115.106	clean
2.163.223.45 whois	Deutsche Telekom AG	2.163.223.45	clean
25.84.217.99 whois		25.84.217.99	clean
24.172.253.152 whois	TWC-11426-CAROLINAS	24.172.253.152	clean
42.112.20.235 whois	The Corporation for Financing & Promoting Technology	42.112.20.235	clean
115.84.224.134 whois	Eastern Telecoms Phils., Inc.	115.84.224.134	clean
140.31.88.22 whois	DNIC-AS-00668	140.31.88.22	clean
8.169.215.91 whois		8.169.215.91	clean
13.74.229.29 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.74.229.29	clean
128.233.155.218 whois	USASK	128.233.155.218	clean
146.126.109.119 whois	SOUTHERNET	146.126.109.119	clean
175.12.116.69 whois	Chinanet	175.12.116.69	clean
106.223.123.110 whois	Bharti Airtel Ltd. AS for GPRS Service	106.223.123.110	clean
112.67.207.134 whois	Chinanet	112.67.207.134	clean
210.227.49.7 whois	NTT Communications Corporation	210.227.49.7	clean
97.83.231.200 whois	CHARTER-20115	97.83.231.200	clean
36.212.222.1 whois	China TieTong Telecommunications Corporation	36.212.222.1	clean
85.186.143.96 whois	Liberty Global B.V.	85.186.143.96	clean
158.98.68.190 whois		158.98.68.190	clean
151.54.15.78 whois	Wind Tre S.p.A.	151.54.15.78	clean
58.92.93.63 whois	NTT Communications Corporation	58.92.93.63	clean
2.234.62.253 whois	Fastweb	2.234.62.253	clean
143.174.212.143 whois		143.174.212.143	clean
217.127.210.223 whois	Telefonica De Espana	217.127.210.223	clean
152.193.215.77 whois	UUNET	152.193.215.77	clean
1.134.59.210 whois	Telstra Corporation Ltd	1.134.59.210	clean
9.222.201.130 whois		9.222.201.130	clean
175.159.207.52 whois	City University of Hong Kong	175.159.207.52	clean
214.87.183.115 whois	DNIC-ASBLK-00721-00726	214.87.183.115	clean
49.120.193.76 whois	China Education and Research Network Center	49.120.193.76	clean
107.168.169.39 whois		107.168.169.39	clean
202.39.99.72 whois	SYSTEX CORPORATION	202.39.99.72	clean
137.34.21.147 whois		137.34.21.147	clean
72.40.166.12 whois		72.40.166.12	clean
210.196.151.158 whois	KDDI CORPORATION	210.196.151.158	clean
113.7.79.147 whois	CHINA UNICOM China169 Backbone	113.7.79.147	clean
58.109.137.171 whois	Microplex PTY LTD	58.109.137.171	clean
81.156.161.135 whois	British Telecommunications PLC	81.156.161.135	clean
180.86.236.186 whois	China Networks Inter-Exchange	180.86.236.186	clean
16.147.234.174 whois		16.147.234.174	clean
33.160.49.115 whois		33.160.49.115	clean
161.169.77.217 whois	WAL-MART	161.169.77.217	clean
87.34.160.163 whois	HEAnet	87.34.160.163	clean
139.82.22.164 whois	Fundacao Carlos Chagas Filho de Amparo a Pesquisa	139.82.22.164	clean
97.215.96.42 whois	CELLCO-PART	97.215.96.42	clean
187.250.234.39 whois	Uninet S.A. de C.V.	187.250.234.39	clean
60.91.244.88 whois	Softbank BB Corp.	60.91.244.88	clean
118.237.162.242 whois	So-net Entertainment Corporation	118.237.162.242	clean
186.230.1.64 whois	TIM S/A	186.230.1.64	clean
9.113.227.157 whois		9.113.227.157	clean
177.237.160.208 whois	Cablemas Telecomunicaciones SA de CV	177.237.160.208	clean
83.230.31.82 whois	Obsluga pc P.Dudzinski P.Jablonski P.Ral. B.Miller s.c.	83.230.31.82	clean
8.40.42.238 whois	LEVEL3	8.40.42.238	clean
57.49.213.154 whois		57.49.213.154	clean
139.140.208.251 whois	BOWDOIN	139.140.208.251	clean
16.121.228.245 whois		16.121.228.245	clean
160.247.155.231 whois	Research Organization of Information and Systems, National Institute of Informatics	160.247.155.231	clean
44.176.131.220 whois	UCSD	44.176.131.220	clean
151.61.224.48 whois	Wind Tre S.p.A.	151.61.224.48	clean
129.80.108.100 whois		129.80.108.100	clean
50.245.163.96 whois	COMCAST-7922	50.245.163.96	clean
217.182.82.84 whois	OVH SAS	217.182.82.84	clean
145.123.81.38 whois	SURFnet bv	145.123.81.38	clean
74.116.212.20 whois	MIDFLORIDA-AS	74.116.212.20	clean
49.108.172.222 whois	NTT DOCOMO, INC.	49.108.172.222	clean
206.52.50.126 whois	NTT-COMMUNICATIONS-2914	206.52.50.126	clean
9.200.59.79 whois		9.200.59.79	clean
217.107.190.73 whois	Rostelecom	217.107.190.73	clean
114.88.227.84 whois	China Telecom (Group)	114.88.227.84	clean
39.118.127.58 whois	SK Broadband Co Ltd	39.118.127.58	clean
55.188.217.27 whois	DNIC-ASBLK-00306-00371	55.188.217.27	clean
36.86.173.1 whois	PT Telekomunikasi Indonesia	36.86.173.1	clean
165.206.64.84 whois	ICN-AS	165.206.64.84	clean
44.163.61.12 whois	UCSD	44.163.61.12	clean
194.179.152.182 whois	Planet Service Srl	194.179.152.182	clean
106.137.220.27 whois	KDDI CORPORATION	106.137.220.27	clean
34.146.29.121 whois		34.146.29.121	clean
49.36.212.11 whois	Reliance Jio Infocomm Limited	49.36.212.11	clean
6.64.206.97 whois		6.64.206.97	clean
135.152.65.5 whois		135.152.65.5	clean
76.233.240.43 whois	ATT-INTERNET4	76.233.240.43	clean
210.137.18.3 whois	Research Organization of Information and Systems, National Institute of Informatics	210.137.18.3	clean
43.104.48.198 whois		43.104.48.198	clean
124.143.107.116 whois	Jupiter Telecommunication Co. Ltd	124.143.107.116	clean
172.93.221.30 whois	xTom	172.93.221.30	clean
54.26.7.216 whois		54.26.7.216	clean
223.101.12.77 whois	China Mobile communications corporation	223.101.12.77	clean
90.185.247.142 whois	Tele Danmark	90.185.247.142	clean
29.11.232.5 whois		29.11.232.5	clean
138.169.142.42 whois	DNIC-ASBLK-00721-00726	138.169.142.42	clean
157.20.140.153 whois		157.20.140.153	clean
82.193.248.177 whois	e.discom Telekommunikation GmbH	82.193.248.177	clean
46.135.202.156 whois	Vodafone Czech Republic a.s.	46.135.202.156	clean
11.222.177.15 whois		11.222.177.15	clean
104.168.212.46 whois	HOSTWINDS	104.168.212.46	clean

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
0x420178 MessageBoxW
0x42017c MessageBoxA
KERNEL32.dll
0x420000 SystemTimeToTzSpecificLocalTime
0x420004 DecodePointer
0x420008 GetLastError
0x42000c SetDllDirectoryW
0x420010 GetModuleFileNameW
0x420014 GetProcAddress
0x420018 GetCommandLineW
0x42001c GetEnvironmentVariableW
0x420020 SetEnvironmentVariableW
0x420024 ExpandEnvironmentStringsW
0x420028 GetTempPathW
0x42002c WaitForSingleObject
0x420030 Sleep
0x420034 GetExitCodeProcess
0x420038 CreateProcessW
0x42003c GetStartupInfoW
0x420040 LoadLibraryExW
0x420044 GetShortPathNameW
0x420048 FormatMessageW
0x42004c LoadLibraryA
0x420050 MultiByteToWideChar
0x420054 WideCharToMultiByte
0x420058 SetEndOfFile
0x42005c HeapReAlloc
0x420060 UnhandledExceptionFilter
0x420064 SetUnhandledExceptionFilter
0x420068 GetCurrentProcess
0x42006c TerminateProcess
0x420070 IsProcessorFeaturePresent
0x420074 QueryPerformanceCounter
0x420078 GetCurrentProcessId
0x42007c GetCurrentThreadId
0x420080 GetSystemTimeAsFileTime
0x420084 InitializeSListHead
0x420088 IsDebuggerPresent
0x42008c GetModuleHandleW
0x420090 RtlUnwind
0x420094 SetLastError
0x420098 EnterCriticalSection
0x42009c LeaveCriticalSection
0x4200a0 DeleteCriticalSection
0x4200a4 InitializeCriticalSectionAndSpinCount
0x4200a8 TlsAlloc
0x4200ac TlsGetValue
0x4200b0 TlsSetValue
0x4200b4 TlsFree
0x4200b8 FreeLibrary
0x4200bc GetCommandLineA
0x4200c0 ReadFile
0x4200c4 CreateFileW
0x4200c8 GetDriveTypeW
0x4200cc GetFileType
0x4200d0 CloseHandle
0x4200d4 PeekNamedPipe
0x4200d8 RaiseException
0x4200dc FileTimeToSystemTime
0x4200e0 GetFullPathNameW
0x4200e4 GetFullPathNameA
0x4200e8 CreateDirectoryW
0x4200ec RemoveDirectoryW
0x4200f0 FindClose
0x4200f4 FindFirstFileExW
0x4200f8 FindNextFileW
0x4200fc SetStdHandle
0x420100 SetConsoleCtrlHandler
0x420104 DeleteFileW
0x420108 GetStdHandle
0x42010c WriteFile
0x420110 ExitProcess
0x420114 GetModuleHandleExW
0x420118 GetACP
0x42011c HeapFree
0x420120 HeapAlloc
0x420124 GetConsoleMode
0x420128 ReadConsoleW
0x42012c SetFilePointerEx
0x420130 GetConsoleCP
0x420134 CompareStringW
0x420138 LCMapStringW
0x42013c GetCurrentDirectoryW
0x420140 FlushFileBuffers
0x420144 SetEnvironmentVariableA
0x420148 GetFileAttributesExW
0x42014c IsValidCodePage
0x420150 GetOEMCP
0x420154 GetCPInfo
0x420158 GetEnvironmentStringsW
0x42015c FreeEnvironmentStringsW
0x420160 GetStringTypeW
0x420164 GetProcessHeap
0x420168 WriteConsoleW
0x42016c GetTimeZoneInformation
0x420170 HeapSize
WS2_32.dll
0x420184 ntohl

EAT(Export Address Table) is none

Report - Video.scr

Signature (19cnts)

Rules (13cnts)

Network (113cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure