Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 4, 2021, 6:18 p.m.	May 4, 2021, 6:22 p.m.

Size	335.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`62c0acfc18a80a6132a3e8d8baacc90a`
SHA256	`e371264367bd07e03b5ccb18c60859ded59c7ec201adc8d3eecc07f6afa0eb0c`
CRC32	`747156BB`
ssdeep	`6144:1PXUDKRpBfseCNcSi0U0rgQAwhtrRLsdv2MXiXEqZx:mDKRDEeCnpUkgtwXryJLSUqf`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

win32.exe "C:\Users\test22\AppData\Local\Temp\win32.exe"
3324
- win32.exe "C:\Users\test22\AppData\Local\Temp\win32.exe"
  7724

Name	Response	Post-Analysis Lookup
dyjcgvdfgdzgzdzzf.cf	A 104.21.21.140 A 172.67.199.26	104.21.21.140

IP Address	Status	Action
104.21.21.140	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2025107	ET INFO DNS Query for Suspicious .cf Domain	Potentially Bad Traffic
TCP 192.168.56.102:49811 -> 104.21.21.140:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49811 -> 104.21.21.140:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 104.21.21.140:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49811 -> 104.21.21.140:80	2025103	ET INFO HTTP POST Request to Suspicious *.cf Domain	Potentially Bad Traffic
TCP 192.168.56.102:49814 -> 104.21.21.140:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49809 -> 104.21.21.140:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 104.21.21.140:80	2025103	ET INFO HTTP POST Request to Suspicious *.cf Domain	Potentially Bad Traffic
TCP 192.168.56.102:49809 -> 104.21.21.140:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49809 -> 104.21.21.140:80	2025103	ET INFO HTTP POST Request to Suspicious *.cf Domain	Potentially Bad Traffic
TCP 192.168.56.102:49811 -> 104.21.21.140:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 104.21.21.140:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 104.21.21.140:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.102:49814 -> 104.21.21.140:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49809 -> 104.21.21.140:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49809 -> 104.21.21.140:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 104.21.21.140:80 -> 192.168.56.102:49814	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.102:49813 -> 104.21.21.140:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49813 -> 104.21.21.140:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 104.21.21.140:80	2025103	ET INFO HTTP POST Request to Suspicious *.cf Domain	Potentially Bad Traffic
TCP 192.168.56.102:49813 -> 104.21.21.140:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 104.21.21.140:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 104.21.21.140:80 -> 192.168.56.102:49813	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 4, 2021, 6:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2021, 6:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2021, 6:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2021, 6:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2021, 6:18 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2021, 6:18 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://dyjcgvdfgdzgzdzzf.cf/Bn3/fre.php

Performs some HTTP requests (1 event)

request

POST http://dyjcgvdfgdzgzdzzf.cf/Bn3/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://dyjcgvdfgdzgzdzzf.cf/Bn3/fre.php

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 4, 2021, 6:18 p.m.	process_identifier: 3324 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW May 4, 2021, 6:18 p.m.	number_of_free_clusters: 3246486 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW May 4, 2021, 6:18 p.m.	number_of_free_clusters: 3246486 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsnFF79.tmp\j1e003.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsnFF79.tmp\j1e003.dll

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW May 4, 2021, 6:18 p.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\win32.exe newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\win32.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 4, 2021, 6:18 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.62c0acfc18a80a61
McAfee	Artemis!62C0ACFC18A8
Symantec	Packed.Generic.604
APEX	Malicious
Avast	FileRepMetagen [Malware]
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
AegisLab	Trojan.Multi.Generic.4!c
Ikarus	Trojan.NSIS.Agent
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.AHL!tr
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_60% (D)

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3324 called NtSetContextThread to modify thread in remote process 7724
NtSetContextThread May 4, 2021, 6:18 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 7724	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

win32.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All