Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js

Latest News
09.20 03:09
스타일러스·따뜻한동행, 장애인 위한 '동...
09.20 03:09
[PASCON 2024-영상] 굿모닝아이...
09.20 03:09
Critical Ivanti Cloud ...
09.20 03:09
SOOSAN INT Product Sec...
09.20 02:09
Inside a Portable Sate...
09.20 02:09
리튬포어스, 카카오프렌즈 ‘휴대용 미니 ...
09.20 02:09
제이피에스코스메틱 선형훈 대표이사, 산업...
09.20 02:09
Fence Agents Remediati...
09.20 01:09
재능넷, AI 기반 시각화 전문 지식 서...
09.20 01:09
[PASCON 2024-영상] 카스퍼스키...

Summary | ZeroBOX

PubSafe.rar

KeyLogger Escalate priviledges AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 17, 2021, 1:43 p.m.	June 17, 2021, 1:48 p.m.

Size	334.3KB
Type	RAR archive data, v5
MD5	`2e7e9709f9538f01e3761efba44c7c1e`
SHA256	`dd6233b52f5605232b3228ef44b01b5267e8038a7b1b5afd3dca37387c5bd1fe`
CRC32	`E2F94582`
ssdeep	`6144:Tf+TYSd+lvSbABYw+G42i7d3UAVqPPvUY8t19MIiXGiyR5TigwM5G6gb0CvUudGF:r+S6G42k3TNi2iyb2qW0gwSOL`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "VvKKGm" C:\Users\test22\AppData\Local\Temp\PubSafe.rar
3324
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\PubSafe.rar"
  5292

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 17, 2021, 1:43 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 17, 2021, 1:43 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 17, 2021, 1:43 p.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 17, 2021, 1:43 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	Run a KeyLogger				rule	KeyLogger
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

MicroWorld-eScan	Trojan.GenericKD.33547074
FireEye	Trojan.GenericKD.33547074
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Artemis!2E7E9709F953
Sangfor	Malware
Arcabit	Trojan.Generic.D1FFE342
Avast	Win32:Malware-gen
BitDefender	Trojan.GenericKD.33547074
Emsisoft	Trojan.GenericKD.33547074 (B)
Comodo	Malware@#1gat2ztkrdye3
Invincea	heuristic
Ikarus	Trojan.MSIL.Confuser
Cyren	W32/Zbot.AQ.gen!Eldorado
Antiy-AVL	Trojan/MSIL.Revenge
Microsoft	Trojan:Win32/Occamy.C
AegisLab	Trojan.ZIP.Generic.4!c
GData	Trojan.GenericKD.33547074
BitDefenderTheta	Gen:NN.ZemsilF.34132.hu0@amwcJPb
ALYac	Trojan.GenericKD.33547074
VBA32	CIL.HeapOverride.Heur
SentinelOne	DFI - Malicious Archive
Fortinet	PossibleThreat
AVG	Win32:Malware-gen