Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 14, 2021, 1:41 p.m.	June 14, 2021, 1:55 p.m.

Size	332.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`23ff29e277ce2e65001613c8f79f96dd`
SHA256	`a93c6922e26b1a9a9df022a5d5b85b11b84f2b83413f42851ac6ba0141228839`
CRC32	`7C4BBDA5`
ssdeep	`6144:4I0UZgbiyX3FZIRECe5iRA+MOZaWsqirkvOmGBN6IL1Q6xPue77l:lZgIRY5IA+PZasiLbMqQg2et`
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

NewRat.exe "C:\Users\test22\AppData\Local\Temp\NewRat.exe"
3588
- NewRatmgr.exe C:\Users\test22\AppData\Local\Temp\NewRatmgr.exe
  3236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
89.40.73.43	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

tjcfklp

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2021, 1:41 p.m.	stacktrace: New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x729b7747 CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x75731069 PathResolve+0x122a SHSetInstanceExplorer-0x11f7 shell32+0x155c1 @ 0x758455c1 ShellExecuteExW+0xd94 SHGetNameFromIDList-0x7e76 shell32+0x22bda @ 0x75852bda PathResolve+0x102e SHSetInstanceExplorer-0x13f3 shell32+0x153c5 @ 0x758453c5 SHCreateShellItemArrayFromShellItem+0x76e OpenRegStream-0x995 shell32+0x2f6b1 @ 0x7585f6b1 PathResolve+0x685 SHSetInstanceExplorer-0x1d9c shell32+0x14a1c @ 0x75844a1c SHCreateShellItemArrayFromShellItem+0x7f0 OpenRegStream-0x913 shell32+0x2f733 @ 0x7585f733 PathResolve+0x7cc SHSetInstanceExplorer-0x1c55 shell32+0x14b63 @ 0x75844b63 ShellExecuteExW+0x41a SHGetNameFromIDList-0x87f0 shell32+0x22260 @ 0x75852260 ShellExecuteExW+0x541 SHGetNameFromIDList-0x86c9 shell32+0x22387 @ 0x75852387 IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x74ce43c0 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cd 2e 83 f8 00 7c 19 60 e8 00 00 00 00 8b 54 24 exception.instruction: int 0x2e exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7efa664b registers.esp: 37811536 registers.edi: 8958768 registers.eax: 170 registers.ebp: 37813196 registers.edx: 37811548 registers.ebx: 0 registers.esi: 8961848 registers.ecx: 68	1	0	0
__exception__ June 14, 2021, 1:41 p.m.	stacktrace: New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x729b7747 CreateProcessInternalA+0x123 SetConsoleMode-0x1a3 kernel32+0x2a5da @ 0x7574a5da CreateProcessA+0x2c Sleep-0x61 kernel32+0x1109e @ 0x7573109e newratmgr+0x126a @ 0x40126a newratmgr+0x2c7d @ 0x402c7d RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: cd 2e 83 f8 00 7c 19 60 e8 00 00 00 00 8b 54 24 exception.instruction: int 0x2e exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7efa664b registers.esp: 1636004 registers.edi: 5178010 registers.eax: 170 registers.ebp: 1637664 registers.edx: 1636016 registers.ebx: 0 registers.esi: 5188096 registers.ecx: 68	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 14, 2021, 1:41 p.m.

stacktrace:

New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x729b7747
CreateProcessW+0x2c CreateProcessA-0x9 kernel32+0x11069 @ 0x75731069
PathResolve+0x122a SHSetInstanceExplorer-0x11f7 shell32+0x155c1 @ 0x758455c1
ShellExecuteExW+0xd94 SHGetNameFromIDList-0x7e76 shell32+0x22bda @ 0x75852bda
PathResolve+0x102e SHSetInstanceExplorer-0x13f3 shell32+0x153c5 @ 0x758453c5
SHCreateShellItemArrayFromShellItem+0x76e OpenRegStream-0x995 shell32+0x2f6b1 @ 0x7585f6b1
PathResolve+0x685 SHSetInstanceExplorer-0x1d9c shell32+0x14a1c @ 0x75844a1c
SHCreateShellItemArrayFromShellItem+0x7f0 OpenRegStream-0x913 shell32+0x2f733 @ 0x7585f733
PathResolve+0x7cc SHSetInstanceExplorer-0x1c55 shell32+0x14b63 @ 0x75844b63
ShellExecuteExW+0x41a SHGetNameFromIDList-0x87f0 shell32+0x22260 @ 0x75852260
ShellExecuteExW+0x541 SHGetNameFromIDList-0x86c9 shell32+0x22387 @ 0x75852387
IUnknown_QueryService+0x15a SHCreateThread-0x1b4 shlwapi+0x143c0 @ 0x74ce43c0
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: cd 2e 83 f8 00 7c 19 60 e8 00 00 00 00 8b 54 24
exception.instruction: int 0x2e
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7efa664b
registers.esp: 37811536
registers.edi: 8958768
registers.eax: 170
registers.ebp: 37813196
registers.edx: 37811548
registers.ebx: 0
registers.esi: 8961848
registers.ecx: 68

__exception__

June 14, 2021, 1:41 p.m.

stacktrace:

New_kernel32_CreateProcessInternalW@48+0x185 New_kernel32_CreateRemoteThread@28-0x16b @ 0x729b7747
CreateProcessInternalA+0x123 SetConsoleMode-0x1a3 kernel32+0x2a5da @ 0x7574a5da
CreateProcessA+0x2c Sleep-0x61 kernel32+0x1109e @ 0x7573109e
newratmgr+0x126a @ 0x40126a
newratmgr+0x2c7d @ 0x402c7d
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: cd 2e 83 f8 00 7c 19 60 e8 00 00 00 00 8b 54 24
exception.instruction: int 0x2e
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7efa664b
registers.esp: 1636004
registers.edi: 5178010
registers.eax: 170
registers.ebp: 1637664
registers.edx: 1636016
registers.ebx: 0
registers.esi: 5188096
registers.ecx: 68

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 region_size: 118784 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 372736 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 3758096448 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 3221225536 (PAGE_EXECUTE_READWRITE) base_address: 0x00421000 process_handle: 0xffffffff		3221225541
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 14, 2021, 1:41 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773bf000 process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

SysEx File - IDP

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00017130

size

0x000002f0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\NewRatmgr.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA June 14, 2021, 1:41 p.m.	service_start_name: start_type: 2 password: display_name: Abcdef Hijklmno Qrstuvwx Abcd filepath: C:\Windows\System32\fgdnec.exe service_name: Abcdef Hijklmno Qrs filepath_r: C:\Windows\system32\fgdnec.exe desired_access: 983551 service_handle: 0x00860ce8 error_control: 0 service_type: 16 service_manager_handle: 0x00860d88	1	8785128	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\NewRatmgr.exe

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00022000', u'virtual_address': u'0x00018000', u'entropy': 7.905569613797421, u'name': u'.text', u'virtual_size': u'0x00022000'}

entropy

7.9055696138

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001b000', u'virtual_address': u'0x0003b000', u'entropy': 7.88794348761577, u'name': u'.text', u'virtual_size': u'0x0001b000'}

entropy

7.88794348762

description

A section with a high entropy has been found

entropy

0.743902439024

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 14, 2021, 1:41 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW June 14, 2021, 1:41 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW June 14, 2021, 1:41 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW June 14, 2021, 1:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	89.40.73.43

Installs itself for autorun at Windows startup (1 event)

service_name

Abcdef Hijklmno Qrs

service_path

C:\Windows\System32\fgdnec.exe

Creates known Nitol/ServStart files, registry keys and/or mutexes (1 event)

regkey

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Abcdef Hijklmno Qrs\Description

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.Tmgrtext.PE
Elastic	malicious (high confidence)
DrWeb	Trojan.AVKill.63055
MicroWorld-eScan	Generic.ServStart.A.05DA2309
FireEye	Generic.mg.23ff29e277ce2e65
CAT-QuickHeal	W32.Ramnit.BA
ALYac	Generic.ServStart.A.05DA2309
Cylance	Unsafe
Zillya	Virus.Nimnul.Win32.1
Sangfor	Win.Trojan.Ramnit-1847
K7AntiVirus	Trojan ( 0051b1671 )
K7GW	Trojan ( 0051b1671 )
Cybereason	malicious.277ce2
BitDefenderTheta	AI:FileInfector.9425D5100E
Cyren	W32/Ramnit.B!Generic
Symantec	W32.Ramnit.B!inf
ESET-NOD32	Win32/Ramnit.H
APEX	Malicious
Avast	Win32:RmnDrp [Inf]
ClamAV	Win.Trojan.Ramnit-1847
Kaspersky	Virus.Win32.Nimnul.a
BitDefender	Generic.ServStart.A.05DA2309
NANO-Antivirus	Virus.Win32.Nimnul.bqjjnb
ViRobot	Win32.Nimnul.A
Tencent	Virus.Win32.Nimnul.f
Ad-Aware	Generic.ServStart.A.05DA2309
TACHYON	Virus/W32.Ramnit
Emsisoft	Generic.ServStart.A.05DA2309 (B)
Comodo	Virus.Win32.Ramnit.K@37eb7u
Baidu	Win32.Virus.Nimnul.a
VIPRE	Virus.Win32.Ramnit.b (v)
TrendMicro	PE_RAMNIT.DEN
McAfee-GW-Edition	BehavesLike.Win32.Ramnit.fc
CMC	Virus.Win32.Ramit.1!O
Sophos	ML/PE-A + W32/Ramnit-A
Ikarus	Backdoor.Win32.Inject
GData	Win32.Virus.Nimnul.A
Jiangmin	Win32/IRCNite.wi
eGambit	Unsafe.AI_Score_100%
Avira	W32/Ramnit.C
Antiy-AVL	Trojan/Generic.ASVirus.1EB
Gridinsoft	Trojan.Win32.Malex.dd!n
Arcabit	Generic.ServStart.A.05DA2309
Microsoft	Virus:Win32/Ramnit.J
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Ramnit.G
Acronis	suspicious
McAfee	W32/Ramnit.a
MAX	malware (ai score=84)
VBA32	Virus.Win32.Nimnul.b

NewRat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All