Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.07.01 09:23	Machine	s1_win7_x6402
Filename	TQ.jpg.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	8	Behavior Score	9.4
ZERO API	file : malware
VT API (file)	55 detected (AIDetectMalware, Scar, lpjJ, malicious, moderate confidence, score, Genasom, Babar, Unsafe, Save, CryptoMiner, CVE-2021-1675, Attribute, HighConfidence, CoinMiner, HackTool, JAYPOTATO, Tiggre, JuicyPotato, kpccps, CLOUD, AGEN, Siggen28, Real Protect, high, WinGo, Ranumbot, Detected, Blamon, MUPX, Gen@24tbus, 11N2JTZ, ABRisk, POED, ZexaF, qmKfa89emHkb, BScope, BlackMoon, BitCoinMiner, YXEFVZ, Gencirc, ai score=73, AZID, confidence, 100%)
md5	f9f5342074462fa1048fea806eef535f
sha256	5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
ssdeep	6144:r+k9IKKJPa1DyKHC055swEUkezQ12rqyFWaiwV:ik9IKKJip9C0kmzQ12rqyQaX
imphash	3b3dc2709d13b6bbe20eb1df71d207fa
impfuzzy	6:omRgslyP1BJAEoZ/OEGDzyRMb2oNfxAdYgbXmJJcn:omRgtVABZG/DzZNJ45bX+O

Network IP location

Signature (16cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 55 AntiVirus engines on VirusTotal as malicious
warning	Disables Windows Security features
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
notice	Connects to a Dynamic DNS Domain
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
info	The executable uses a known packer

Rules (15cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_1_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Network_Downloader	File Downloader	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (30cnts) ?

Request	ASN Co	IP4	ZERO ?
http://118.184.169.48/dyndns/getip whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
http://45.113.194.189/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.189	clean
http://ssl.ftp21.cc/MpMgDLL.jpg whois	G-Core Labs S.A.	92.223.61.30	clean
http://ssl.ftp21.cc/MpMgSvc.jpg whois	G-Core Labs S.A.	92.223.61.30	clean
http://down.ftp21.cc/64.jpg whois	Korea Telecom	119.203.212.165	clean
http://ssl.ftp21.cc/Hooks.jpg whois	G-Core Labs S.A.	92.223.61.30	clean
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe whois	AKAMAI-AS	23.199.6.55	clean
http://down.ftp21.cc/Update.txt whois	Korea Telecom	119.203.212.165	clean
gtxvdqvuweqs.com whois		16.162.201.176	clean
members.3322.org whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
ipv6-api.iproyal.com whois			clean
down.ftp21.cc whois	Korea Telecom	119.203.212.165	malware
download.microsoft.com whois	AKAMAI-AS	23.199.6.55	clean
www.362-com.com whois	SK Broadband Co Ltd	1.226.84.135	clean
www.4i7i.com whois	SK Broadband Co Ltd	1.226.84.135	clean
opendata.baidu.com whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.189	clean
web.362-com.com whois	SK Broadband Co Ltd	110.11.158.238	clean
api.iproyal.com whois	Clouvider Limited	193.228.196.69	clean
ssl.ftp21.cc whois	Petersburg Internet Network ltd.	31.184.207.62	malware
23.219.69.110 whois	CLARO S.A.	23.219.69.110	clean
31.184.207.62 whois	Petersburg Internet Network ltd.	31.184.207.62	malware
193.228.196.69 whois	Clouvider Limited	193.228.196.69	clean
45.113.194.189 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.189	clean
16.162.201.176 whois		16.162.201.176	clean
1.226.84.135 whois	SK Broadband Co Ltd	1.226.84.135	clean
31.222.226.20 whois		31.222.226.20	clean
18.163.3.159 whois	AMAZON-02	18.163.3.159	clean
118.184.169.48 whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
110.11.158.238 whois	SK Broadband Co Ltd	110.11.158.238	clean
119.203.212.165 whois	Korea Telecom	119.203.212.165	malware

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x4ce3f4 RegCloseKey
COMCTL32.dll
0x4ce3fc None
GDI32.dll
0x4ce404 Escape
KERNEL32.DLL
0x4ce40c LoadLibraryA
0x4ce410 ExitProcess
0x4ce414 GetProcAddress
0x4ce418 VirtualProtect
SHELL32.dll
0x4ce420 None
SHLWAPI.dll
0x4ce428 PathFileExistsA
USER32.dll
0x4ce430 GetDC
WINSPOOL.DRV
0x4ce438 ClosePrinter

EAT(Export Address Table) is none

Report - TQ.jpg.exe

Signature (16cnts)

Rules (15cnts)

Network (30cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure