popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kill.exe

APT Armageddon WinRAR AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 24, 2021, 10 a.m. June 24, 2021, 10:08 a.m.
Size 310.3KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6084f2e484d7ae81d35dff0aa576c546
SHA256 398fbc32bcff625f8396c4b666972ea78fe5bd892a26a2cfd665de44ca768c09
CRC32 6969D47D
ssdeep 6144:OoNm+qJezPbYhYInTUaWSFrJdMaiGwWK2X+t4p7JBp:ONpszYhvXWSVJdMaeb2X+t4RJBp
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
195.133.40.220 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\Temp\dwm.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\dwm.exe
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\Temp\WD.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Local\Temp\WD.exe
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\dwm.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Local\dwm.exe
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Local\WD.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Local\WD.exe
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Roaming\WD.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Roaming\WD.exe
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: del
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: "C:\Users\test22\AppData\Roaming\dwm.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Could Not Find C:\Users\test22\AppData\Roaming\dwm.exe
console_handle: 0x0000000b
1 1 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728c2000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13727068160
free_bytes_available: 13727068160
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs
file C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat
file C:\Users\test22\AppData\Local\Temp\RarSFX0\kill.vbs
file C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs
wmi Select * from Win32_Process Where Name = 'dwm.exe' OR Name = 'WD.exe'
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 195.133.40.220
file C:\Users\test22\AppData\Local\Temp\RarSFX0\run.vbs
parent_process wscript.exe martian_process kill.vbs
parent_process wscript.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\RarSFX0\kill.vbs"
parent_process wscript.exe martian_process del.bat
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\RarSFX0\del.bat"
Process injection Process 1896 resumed a thread in remote process 1556
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 1556
1 0 0
file C:\Windows\SysWOW64\wscript.exe
Bkav W32.AIDetect.malware2
MicroWorld-eScan Trojan.GenericKD.37048829
FireEye Trojan.GenericKD.37048829
CAT-QuickHeal Trojan.Agent
McAfee Artemis!6084F2E484D7
Cylance Unsafe
Sangfor Riskware.Win32.Wacapew.C
Arcabit Trojan.Generic.D23551FD
APEX Malicious
Avast Win32:Malware-gen
BitDefender Trojan.GenericKD.37048829
AegisLab Trojan.Win32.Generic.4!c
Ad-Aware Trojan.GenericKD.37048829
Emsisoft Trojan.GenericKD.37048829 (B)
McAfee-GW-Edition BehavesLike.Win32.Generic.fh
MAX malware (ai score=83)
Microsoft Trojan:Win32/Caynamer.A!ml
GData Win32.Trojan.BSE.96XFQO
Cynet Malicious (score: 100)
ALYac Trojan.GenericKD.37048829
TrendMicro-HouseCall TROJ_GEN.R011H09F921
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:Malware-gen