Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.23 02:09
파수, 데이터 보호 넘어 AI 활용한 인...
09.23 02:09
Brass Propeller Gets I...
09.23 01:09
트리니티소프트, 애플리케이션 보안 분야에...
09.23 01:09
텔레그램 사용자 정책 위반 사칭 피싱 사...
09.23 01:09
SKYBOX 통합보안위험관리 솔루션, 다...
09.23 12:09
카스퍼스키, 클라우드·엔드포인트·OT 보...
09.22 11:09
Lula Seeks to Lead Pus...
09.22 11:09
Emoji-Erweiterung: Ach...
09.22 11:09
Slack wird noch smarte...
09.22 11:09
지란지교데이터, 개인정보 비식별화와 AI...

Summary | ZeroBOX

czech.sct

Malicious Packer

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2021, 4:13 p.m.	April 2, 2021, 4:15 p.m.

Size	296.8KB
Type	XML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`2bac0d6502283b9906426e9f0df35283`
SHA256	`099826ec7f90522461f106cc0ebd39519e9e4a70bd48c320aa2e955322ffa923`
CRC32	`9773F080`
ssdeep	`6144:RMgPlxu6nTZBTl8OgMRzbqoZcOo322piqtBzAtThpmzzzKdiiH:RMgPu6nlB5vRzbHlC2qikapmznKdBH`
Yara	Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xwrnZovaBGfrxEn" C:\Users\test22\AppData\Local\Temp\czech.sct
2388
- notepad.exe "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\test22\AppData\Local\Temp\czech.sct"
  2244

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 4:13 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 4:13 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a62000 process_handle: 0xffffffff	1	0	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Baidu	VBS.Trojan-Dropper.Agent.ap
ESET-NOD32	JS/TrojanDropper.Agent.OFU
ClamAV	Xml.Malware.Squiblydoo-6728833-0
Kaspersky	HEUR:Trojan.Script.Generic
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
Avira	HTML/Crypted.Gen
Microsoft	Exploit:Win32/ShellCode!ml
Cynet	Malicious (score: 85)
Rising	Dropper.Agent/JS!1.D49D (CLASSIC)

Yara rule detected in process memory (12 events)

description	Take screenshot				rule	screenshot
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2244
NtResumeThread April 2, 2021, 4:13 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2244	1	0	0