Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.07.01 09:23	Machine	s1_win7_x6401
Filename	wmi.jpg.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	8	Behavior Score	11.2
ZERO API	file : malware
VT API (file)	60 detected (AIDetectMalware, Farfli, malicious, moderate confidence, Mint, Zard, Aksula, Artemis, Unsafe, Save, Attribute, HighConfidence, score, Zegost, CLOUD, Siggen28, R002C0DFL24, Real Protect, moderate, Behav, hoagb, Detected, c@4m3x9i, KillAV, Eldorado, R582744, BScope, TrojanDDoS, Macri, Gencirc, GenAsa, RYgRsdEvgeU, ai score=88, confidence, 100%, Parite)
md5	3d3aedfaeaf39544ff74fe6fe4541fc2
sha256	d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71
ssdeep	768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G
imphash	9aebf3da4677af9275c461261e5abde3
impfuzzy	3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGUq:dBJAEoZ/OEGDzyRs

Network IP location

Signature (21cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 60 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
watch	Installs itself for autorun at Windows startup
watch	Operates on local firewall's policies and settings
notice	A process created a hidden window
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Connects to a Dynamic DNS Domain
notice	Creates a service
notice	Creates executable files on the filesystem
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Command line console output was observed

Rules (4cnts)

Level	Name	Description	Collection
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (38cnts) ?

Request	ASN Co	IP4	ZERO ?
http://down.ftp21.cc/Update.txt whois	Korea Telecom	119.203.212.165	clean
http://ssl.ftp21.cc/445.jpg whois	Petersburg Internet Network ltd.	31.184.207.62	clean
http://43.198.152.240:8080/api/node/ip_validate whois		43.198.152.240	clean
http://118.184.169.48/dyndns/getip whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe whois	AKAMAI-AS	23.63.210.18	clean
http://hook.ftp21.cc/MpMgSvc.dll whois	SK Broadband Co Ltd	211.108.60.155	clean
http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.127	clean
http://hook.ftp21.cc/MpMgSvc.jpg whois	SK Broadband Co Ltd	211.108.60.155	clean
http://hook.ftp21.cc/Hooks.jpg whois	SK Broadband Co Ltd	211.108.60.155	clean
http://hook.ftp21.cc/64.jpg whois	SK Broadband Co Ltd	211.108.60.155	clean
gtxvdqvuweqs.com whois		16.162.201.176	clean
members.3322.org whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
ipv6-api.iproyal.com whois			clean
down.ftp21.cc whois	Korea Telecom	119.203.212.165	malware
download.microsoft.com whois	AKAMAI-AS	23.199.6.55	clean
hook.ftp21.cc whois	SK Broadband Co Ltd	211.108.60.155	clean
api6.my-ip.io whois			clean
unixtime.org whois	CLOUDFLARENET	172.67.175.23	clean
www.362-com.com whois	SK Broadband Co Ltd	1.226.84.135	clean
web.362-com.com whois	SK Broadband Co Ltd	110.11.158.238	clean
opendata.baidu.com whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.127	clean
www.4i7i.com whois	SK Broadband Co Ltd	1.226.84.135	clean
api.iproyal.com whois	Melbikomas UAB	93.189.62.83	clean
ssl.ftp21.cc whois	Petersburg Internet Network ltd.	31.184.207.62	malware
172.67.175.23 whois	CLOUDFLARENET	172.67.175.23	clean
93.189.62.83 whois	Melbikomas UAB	93.189.62.83	clean
31.184.207.62 whois	Petersburg Internet Network ltd.	31.184.207.62	malware
193.228.196.69 whois	Clouvider Limited	193.228.196.69	clean
211.108.60.155 whois	SK Broadband Co Ltd	211.108.60.155	clean
43.198.152.240 whois		43.198.152.240	clean
45.113.194.127 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.127	clean
16.162.201.176 whois		16.162.201.176	clean
1.226.84.135 whois	SK Broadband Co Ltd	1.226.84.135	clean
51.161.196.188 whois		51.161.196.188	clean
104.78.73.222 whois	AKAMAI-AS	104.78.73.222	clean
118.184.169.48 whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
110.11.158.238 whois	SK Broadband Co Ltd	110.11.158.238	clean
119.203.212.165 whois	Korea Telecom	119.203.212.165	malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0x41f494 LoadLibraryA
0x41f498 ExitProcess
0x41f49c GetProcAddress
0x41f4a0 VirtualProtect
MSVCRT.dll
0x41f4a8 exit

EAT(Export Address Table) is none

Report - wmi.jpg.exe

Signature (21cnts)

Rules (4cnts)

Network (38cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure