Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 9:11 a.m.	May 18, 2021, 9:13 a.m.

Size	704.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b749832e5d6ebfc73a61cde48a1b890b`
SHA256	`b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123`
CRC32	`FC62E983`
ssdeep	`12288:Qe/S3sCPfhmxjjpmt0OlIheYbJAvSq8ZlUfMcZMSIP/LWvHR+NN8xTm/+jK02:NeSot0jTFAvS7ZufMcZMT/6p+NqG+l`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Device_Check_Zero - Device Check Zero Process_Snapshot_Kill_Zero - Process Kill Zero

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
3024
- cmd.exe cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"
  2056
  - PING.EXE ping 1.1.1.1 -n 1 -w 3000
    1204

Name	Response	Post-Analysis Lookup
www.wws23dfwe.com	A 45.76.53.14	45.76.53.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.76.53.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 9:11 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.txet

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://www.wws23dfwe.com/index.php/api/a
suspicious_features	POST method with no referer header				suspicious_request	POST http://www.wws23dfwe.com/index.php/api/fb

Performs some HTTP requests (2 events)

request	POST http://www.wws23dfwe.com/index.php/api/a
request	POST http://www.wws23dfwe.com/index.php/api/fb

Sends data using the HTTP POST Method (2 events)

request	POST http://www.wws23dfwe.com/index.php/api/a
request	POST http://www.wws23dfwe.com/index.php/api/fb

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data1-journal

Creates a suspicious process (1 event)

cmdline

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\setup.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 18, 2021, 9:11 a.m.	thread_identifier: 1304 thread_handle: 0x000001e8 process_identifier: 2056 current_directory: filepath: track: 1 command_line: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001fc	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\test22\AppData\Local\Temp\setup.exe"
cmdline	ping 1.1.1.1 -n 1 -w 3000

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\setup.exe

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 18, 2021, 9:11 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000130 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl May 18, 2021, 9:11 a.m.	input_buffer: control_code: 2954240 () device_handle: 0x00000130 output_buffer: (§	1	1	0

Generates some ICMP traffic

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader36.56045
MicroWorld-eScan	Trojan.GenericKD.46059276
FireEye	Generic.mg.b749832e5d6ebfc7
CAT-QuickHeal	Trojanspy.Fbkatz
ALYac	Trojan.GenericKD.46059276
Malwarebytes	Spyware.PasswordStealer
Zillya	Trojan.Agent.Win32.1847063
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Password-Stealer ( 00574a681 )
Alibaba	TrojanPSW:Win32/Fbkatz.eccee4f1
K7GW	Password-Stealer ( 00574a681 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZexaF.34688.SyW@a8vNCahi
Cyren	W32/Trojan.JZYZ-8481
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/PSW.Agent.OLD
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Malware.Fbkatz-9833093-0
Kaspersky	HEUR:Trojan-Spy.Win32.Fbkatz.vho
BitDefender	Trojan.GenericKD.46059276
NANO-Antivirus	Trojan.Win32.Fbkatz.iiwijl
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Fbkatz.721408.G
Rising	Spyware.Fbkatz!8.11E4A (CLOUD)
Ad-Aware	Trojan.GenericKD.46059276
Sophos	Mal/Generic-S
Comodo	Malware@#2bxdjvt9lhg8v
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R06CC0PCN21
McAfee-GW-Edition	BehavesLike.Win32.Generic.bh
Emsisoft	Trojan-PSW.Agent (A)
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanSpy.Fbkatz.g
Webroot	W32.Gen.BT
Avira	HEUR/AGEN.1138963
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.3127A11
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Trojan:Win32/Glupteba!ml
Gridinsoft	Trojan.Win32.Agent.vb
AegisLab	Trojan.Win32.Fbkatz.l!c
GData	Trojan.GenericKD.46059276
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Reputation.R414663
McAfee	GenericRXNE-CG!B749832E5D6E
VBA32	BScope.TrojanSpy.Fbkatz
Cylance	Unsafe

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All