Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 11, 2021, 12:06 p.m.	June 11, 2021, 12:27 p.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`53eb52950fafc1d73f38e6cc298dca5f`
SHA256	`c33aa2c29d7abead0904af661bdc21bffba30b6a472e70c33ca130f1c7d1e331`
CRC32	`B24F3E95`
ssdeep	`49152:gXUIEeZzdeh/c7p1rNdd+JNEj0ykdj21x1YhFlX4bA/Hg/11VzeLG/7wqNKB2VIx:gXrEeZzdhjuV/gd1VzsGUqNKTHvQePR`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

MATiXBR.exe "C:\Users\test22\AppData\Local\Temp\MATiXBR.exe"
2696

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
157.90.140.22	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 2696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a62000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 11, 2021, 12:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 11, 2021, 12:06 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

157.90.140.22

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 11, 2021, 12:06 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

MATiXBR.exe tried to sleep 19097656 seconds, actually delayed analysis time by 19097653 seconds

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 11, 2021, 12:06 p.m.	thread_identifier: 0 callback_function: 0x0050fc98 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	2621933	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 11, 2021, 12:06 p.m.	thread_identifier: 0 callback_function: 0x004cb66b hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	262785	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Elastic	malicious (high confidence)
ClamAV	Win.Malware.Mikey-9819889-0
CAT-QuickHeal	Trojan.Cmy3U
McAfee	GenericRXNE-PP!53EB52950FAF
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.1973193
Sangfor	Trojan.Win32.CMY3U.gen
K7AntiVirus	Trojan ( 005690671 )
Alibaba	Backdoor:Win32/ParalaxRat.7cafc070
K7GW	Trojan ( 005690671 )
Cybereason	malicious.50fafc
Arcabit	Trojan.Midie.D13295
Cyren	W32/Trojan.GFY.gen!Eldorado
ESET-NOD32	a variant of Win32/Agent.ACBZ
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.CMY3U.gen
BitDefender	Gen:Variant.Midie.78485
NANO-Antivirus	Trojan.Win32.Solmyr.iuadjg
Paloalto	generic.ml
ViRobot	Trojan.Win32.Z.Midie.3941888.K
MicroWorld-eScan	Gen:Variant.Midie.78485
Ad-Aware	Gen:Variant.Midie.78485
Emsisoft	Gen:Variant.Midie.78485 (B)
DrWeb	Trojan.Siggen13.7431
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DEQ21
McAfee-GW-Edition	BehavesLike.Win32.BrowseFox.wh
FireEye	Generic.mg.53eb52950fafc1d7
Ikarus	Trojan.MalPack
Jiangmin	Trojan.Agentb.isv
Avira	HEUR/AGEN.1140205
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.328CD0E
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa!s1
Microsoft	Backdoor:Win32/ParalaxRat.STD
AegisLab	Trojan.Win32.CMY3U.4!c
GData	Gen:Variant.Midie.78485
AhnLab-V3	Malware/Gen.RL_Reputation.R360869
VBA32	Trojan.CMY3U
ALYac	Gen:Variant.Midie.78485
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0DEQ21
Rising	Backdoor.BitRAT!1.CD8B (CLASSIC)
Yandex	Trojan.Agent!YLPV2U5CcAE
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.105460290.susgen
Fortinet	W32/Agent.ACBZ!tr

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	192.168.56.101:49203
dead_host	192.168.56.101:49202
dead_host	192.168.56.101:49200
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49204
dead_host	157.90.140.22:55060

MATiXBR.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All