Report - ZeroBOX

ScreenShot

Info
Location map


Created	2025.03.24 10:22	Machine	s1_win7_x6401
Filename	Zoom.ClientSetup_v0564.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	3	Behavior Score	8.8
ZERO API
VT API (file)	58 detected (AIDetectMalware, Expiro, ConnectWise, Unsafe, Save, Xpiro, Windows, Malicious, Moiva, Virut, bwpxnc, CLASSIC, Infector, moderate, score, Static AI, Malicious PE, edgo, Detected, Sabsik, Eldorado, X2164, Artemis, Movia, M0yv, Moyv, VirMoiva, susgen, FileInfector)
md5	8115c820fc40abb9a7d451dd607ba7dc
sha256	cc0a63ac38d1d2b353c257fbf25dd9f0e15a95ab7ff58ddb40e1ab53c560769a
ssdeep	98304:jEs6efPNwJ4t1h0cG5FGJRPxow8OOD527BWG:gfefPKWh0cGw0VQBWG
imphash	9771ee6344923fa220489ab01239bdfd
impfuzzy	24:Hur+UvYDFMUntMS17hlJeDc+pl39T7oLU0OovbOPZvvQEvTZEQQ:HuCtMS17Oc+pp97N3tRvT6N

Network IP location

+−

Leaflet

Signature (19cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 58 AntiVirus engines on VirusTotal as malicious
watch	Communicates with host for which no DNS query was performed
watch	Creates known Upatre files
watch	Looks for the Windows Idle Time to determine the uptime
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Queries for the computername
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path
info	Uses Windows APIs to generate a cryptographic key

Rules (22cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (download)
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
danger	Win_Backdoor_njRAT_Zero	Win Backdoor njRAT	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (upload)
watch	ASPack_Zero	ASPack packed file	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	CAB_file_format	CAB archive file	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (upload)
info	OS_Name_Check_Zero	OS Name Check Signature	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (31cnts) ?

Request	ASN Co	IP4
http://knjghuig.biz/de whois	AMAZON-02	13.213.51.196
http://cvgrf.biz/gvhcrnwmlqps whois	AMAZON-02	52.11.240.239
http://ssbzmoy.biz/exchrhxvvknq whois	AMAZON-02	13.213.51.196
http://pywolwnvd.biz/jllmt whois	AMAZON-02	52.11.240.239
http://edgedl.me.gvt1.com/edgedl/release2/update2/iqmnfy5ub2wrt6itb67uu4wcci_1.3.36.372/GoogleUpdateSetup.exe whois	GOOGLE	34.104.35.123
http://npukfztj.biz/ujqpx whois	AMAZON-AES	3.229.117.57
http://pywolwnvd.biz/ohgpjlgpufy whois	AMAZON-02	52.11.240.239
https://update.googleapis.com/service/update2?cup2key=7:2423934905&cup2hreq=2fa50bd21c1078a6ca14d071a0cff2e2cf75a163344e5d3d185a0eb0944a8465 whois	GOOGLE	142.250.198.99
https://update.googleapis.com/service/update2 whois	GOOGLE	142.250.197.3
https://clients2.google.com/service/check2?appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.33.7&applang=&machine=1&version=1.3.33.7&userid=&osversion=6.1&servicepack=Service%20Pack%201 whois	GOOGLE	142.250.71.174
edgedl.me.gvt1.com whois	GOOGLE	34.104.35.123
pywolwnvd.biz whois	AMAZON-02	52.11.240.239
zlenh.biz whois
przvgke.biz whois	LIQUIDWEB	72.52.178.23
lpuegx.biz whois	Vysokie tehnologii Limited Liability Company	82.112.184.197
vjaxhpbji.biz whois	Vysokie tehnologii Limited Liability Company	82.112.184.197
ssbzmoy.biz whois	AMAZON-02	13.213.51.196
npukfztj.biz whois	AMAZON-AES	3.229.117.57
anpmnmxo.biz whois
cvgrf.biz whois	AMAZON-02	52.11.240.239
uhxqin.biz whois
knjghuig.biz whois	AMAZON-02	13.213.51.196
142.250.198.99 whois	GOOGLE	142.250.198.99
142.250.197.3 whois	GOOGLE	142.250.197.3
3.229.117.57 whois	AMAZON-AES	3.229.117.57
52.11.240.239 whois	AMAZON-02	52.11.240.239
13.213.51.196 whois	AMAZON-02	13.213.51.196
82.112.184.197 whois	Vysokie tehnologii Limited Liability Company	82.112.184.197
34.104.35.123 whois	GOOGLE	34.104.35.123
142.250.71.174 whois	GOOGLE	142.250.71.174
72.52.178.23 whois	LIQUIDWEB	72.52.178.23

Suricata ids

PE API

IAT(Import Address Table) Library

mscoree.dll
0x40d134 CorBindToRuntimeEx
KERNEL32.dll
0x40d000 GetModuleFileNameA
0x40d004 DecodePointer
0x40d008 SizeofResource
0x40d00c LockResource
0x40d010 LoadLibraryW
0x40d014 LoadResource
0x40d018 FindResourceW
0x40d01c GetProcAddress
0x40d020 WriteConsoleW
0x40d024 SetFilePointerEx
0x40d028 GetConsoleMode
0x40d02c GetConsoleCP
0x40d030 FlushFileBuffers
0x40d034 HeapReAlloc
0x40d038 HeapSize
0x40d03c UnhandledExceptionFilter
0x40d040 SetUnhandledExceptionFilter
0x40d044 GetCurrentProcess
0x40d048 TerminateProcess
0x40d04c IsProcessorFeaturePresent
0x40d050 QueryPerformanceCounter
0x40d054 GetCurrentProcessId
0x40d058 GetCurrentThreadId
0x40d05c GetSystemTimeAsFileTime
0x40d060 InitializeSListHead
0x40d064 IsDebuggerPresent
0x40d068 GetStartupInfoW
0x40d06c GetModuleHandleW
0x40d070 RtlUnwind
0x40d074 GetLastError
0x40d078 SetLastError
0x40d07c EncodePointer
0x40d080 EnterCriticalSection
0x40d084 LeaveCriticalSection
0x40d088 DeleteCriticalSection
0x40d08c InitializeCriticalSectionAndSpinCount
0x40d090 TlsAlloc
0x40d094 TlsGetValue
0x40d098 TlsSetValue
0x40d09c TlsFree
0x40d0a0 FreeLibrary
0x40d0a4 LoadLibraryExW
0x40d0a8 RaiseException
0x40d0ac GetStdHandle
0x40d0b0 WriteFile
0x40d0b4 CreateFileW
0x40d0b8 MultiByteToWideChar
0x40d0bc WideCharToMultiByte
0x40d0c0 ExitProcess
0x40d0c4 GetModuleHandleExW
0x40d0c8 GetACP
0x40d0cc CloseHandle
0x40d0d0 HeapAlloc
0x40d0d4 HeapFree
0x40d0d8 FindClose
0x40d0dc FindFirstFileExA
0x40d0e0 FindNextFileA
0x40d0e4 IsValidCodePage
0x40d0e8 GetOEMCP
0x40d0ec GetCPInfo
0x40d0f0 GetCommandLineA
0x40d0f4 GetCommandLineW
0x40d0f8 GetEnvironmentStringsW
0x40d0fc FreeEnvironmentStringsW
0x40d100 LCMapStringW
0x40d104 SetStdHandle
0x40d108 GetFileType
0x40d10c GetStringTypeW
0x40d110 GetProcessHeap
OLEAUT32.dll
0x40d118 VariantInit
0x40d11c SafeArrayUnaccessData
0x40d120 SafeArrayCreateVector
0x40d124 SafeArrayDestroy
0x40d128 VariantClear
0x40d12c SafeArrayAccessData

EAT(Export Address Table) is none

Report - Zoom.ClientSetup_v0564.exe

Signature (19cnts)

Rules (22cnts)

Network (31cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure