Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2021, 10:01 a.m.	June 16, 2021, 10:03 a.m.

Size	268.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`f4d46629ca15313b94992f3798718df7`
SHA256	`0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c`
CRC32	`CA46AC42`
ssdeep	`6144:w33Tn+SJX6hDGRPJNJyPhkK1228jVdXRHZPJwQC8O:w36qRbJyZH1228j/TPu0`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Lazarus_Zero - Lazarus Generic Malware Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Winvoke.exe "C:\Users\test22\AppData\Local\Temp\Winvoke.exe"
1896
- rundll32.exe rundll32.exe
  1396
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
mail.namusoft.kr	A 182.162.89.146	182.162.89.146
www.jinjinpig.co.kr	A 222.122.49.28	222.122.49.28

IP Address	Status	Action
164.124.101.2	Active	Moloch
182.162.89.146	Active	Moloch
222.122.49.28	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 16, 2021, 10:01 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 16, 2021, 10:01 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2021, 10:01 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.KDATA

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://www.jinjinpig.co.kr/Anyboard/skin/board.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://mail.namusoft.kr/jsp/user/eam/board.jsp

Performs some HTTP requests (2 events)

request	POST http://www.jinjinpig.co.kr/Anyboard/skin/board.php
request	POST http://mail.namusoft.kr/jsp/user/eam/board.jsp

Sends data using the HTTP POST Method (2 events)

request	POST http://www.jinjinpig.co.kr/Anyboard/skin/board.php
request	POST http://mail.namusoft.kr/jsp/user/eam/board.jsp

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 16, 2021, 10:01 a.m.	process_identifier: 1896 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 16, 2021, 10:02 a.m.	total_number_of_free_bytes: 13725528064 free_bytes_available: 13725528064 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Visor 2010 Launcher.lnk

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Visor 2010 Launcher.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Visor 2010 Launcher.lnk

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00024a00', u'virtual_address': u'0x00026000', u'entropy': 7.482003278707654, u'name': u'.KDATA', u'virtual_size': u'0x00024814'}

entropy

7.48200327871

description

A section with a high entropy has been found

entropy

0.547663551402

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Visor 2010 Launcher.lnk

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

DrWeb	Trojan.Siggen13.12633
CAT-QuickHeal	Trojan.Agent
ALYac	Trojan.Agent.274944L
Malwarebytes	Trojan.NukeSped
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Lazarus.IOC
K7AntiVirus	Trojan ( 0057b8131 )
BitDefender	Gen:Variant.Razy.812381
K7GW	Trojan ( 0057b8131 )
Cybereason	malicious.9ca153
Cyren	W64/Trojan.AVEE-1962
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/NukeSped.HD
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Agent.xahodw
Alibaba	Trojan:Win32/NukeSped.1ffadbc3
ViRobot	Trojan.Win64.S.Crat.274944
MicroWorld-eScan	Gen:Variant.Razy.812381
Avast	Win64:DropperX-gen [Drp]
Ad-Aware	Gen:Variant.Razy.812381
Emsisoft	Gen:Variant.Razy.812381 (B)
Comodo	Malware@#3ryquvlqv8obx
Zillya	Trojan.Agent.Win32.2020613
TrendMicro	TROJ_FRS.0NA103DT21
McAfee-GW-Edition	BehavesLike.Win64.Generic.dc
FireEye	Generic.mg.f4d46629ca15313b
Sophos	Mal/Generic-S
Avira	TR/NukeSped.fsmds
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.32DB113
Gridinsoft	Trojan.Win64.Agent.oa
Microsoft	Trojan:Win64/NukeSpeed.MK!MTB
AegisLab	Trojan.Win32.Agent.4!c
ZoneAlarm	Trojan.Win32.Agent.xahodw
GData	Gen:Variant.Razy.812381
AhnLab-V3	Trojan/Win.Akdoor.C4413289
McAfee	RDN/Generic Dropper
VBA32	Trojan.Agent
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_FRS.0NA103DT21
Ikarus	Trojan.Win64.Nukesped
MaxSecure	Trojan.Malware.117268387.susgen
Fortinet	W64/NukeSped.HD!tr
Webroot	W32.Trojan.Gen
AVG	Win64:DropperX-gen [Drp]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

Winvoke.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All