Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.14 02:11
Mozilla security advis...
11.14 02:11
Sandvine Seeks a Lifel...
11.14 02:11
Google Chrome security...
11.14 02:11
Ivanti security adviso...
11.14 02:11
Telecom Italia Debt Go...
11.14 02:11
Wrap Up the Year with ...
11.14 02:11
November Patch Tuesday...
11.14 02:11
Upwind closes $100M in...
11.14 02:11
Trinseo's Tammy Klotz:...
11.14 02:11
Syxsense's Mary Yang: ...

Summary | ZeroBOX

czech.sct

Malicious Packer

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2021, 4:13 p.m.	April 2, 2021, 4:15 p.m.

Size	296.8KB
Type	XML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`2bac0d6502283b9906426e9f0df35283`
SHA256	`099826ec7f90522461f106cc0ebd39519e9e4a70bd48c320aa2e955322ffa923`
CRC32	`9773F080`
ssdeep	`6144:RMgPlxu6nTZBTl8OgMRzbqoZcOo322piqtBzAtThpmzzzKdiiH:RMgPu6nlB5vRzbHlC2qikapmznKdBH`
Yara	Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xwrnZovaBGfrxEn" C:\Users\test22\AppData\Local\Temp\czech.sct
2388
- notepad.exe "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\test22\AppData\Local\Temp\czech.sct"
  2244

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 4:13 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 4:13 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a62000 process_handle: 0xffffffff	1	0	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Baidu	VBS.Trojan-Dropper.Agent.ap
ESET-NOD32	JS/TrojanDropper.Agent.OFU
ClamAV	Xml.Malware.Squiblydoo-6728833-0
Kaspersky	HEUR:Trojan.Script.Generic
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
Avira	HTML/Crypted.Gen
Microsoft	Exploit:Win32/ShellCode!ml
Cynet	Malicious (score: 85)
Rising	Dropper.Agent/JS!1.D49D (CLASSIC)

Yara rule detected in process memory (12 events)

description	Take screenshot				rule	screenshot
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2388 resumed a thread in remote process 2244
NtResumeThread April 2, 2021, 4:13 p.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2244	1	0	0