Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.19 02:09
66ea645129e6a_jacobs.exe
09.19 11:09
clip64.dll
09.19 11:09
cred64.dll
09.19 10:09
vsfdajg16.exe
09.19 10:09
QuickBooks_Setup.msi
09.19 10:09
QuickBooks_Desktop_Set...
09.19 10:09
game.exe
09.19 10:09
vlsadg.exe
09.19 10:09
lnfsda.exe
09.19 10:09
66eaadab755d2_installs...

Latest News
09.20 03:09
Bridge Detection Gaps ...
09.20 03:09
02 - Performing Basic ...
09.20 03:09
Exploiting Exchange Po...
09.20 03:09
KI in Hollywood: Wie L...
09.20 03:09
Google: PIN-Schutz für...
09.20 03:09
Chrome-Update für Work...
09.20 03:09
Attacker or IT admin? ...
09.20 03:09
EU’s Von der Leyen Ple...
09.20 02:09
Threat Intelligence Sn...
09.20 02:09
Compliance webinar ser...

Summary | ZeroBOX

1204431452_50619973.rar

KeyLogger Escalate priviledges AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 10:03 a.m.	June 24, 2021, 10:07 a.m.

Size	1.0MB
Type	RAR archive data, v4, os: Win32
MD5	`5c6b2a4b4311244fb91f48c4215775df`
SHA256	`6e5165730710a6940576cfef59a1c726d97c01ae7fa8241ef3ed41fcc6964f70`
CRC32	`21D4472F`
ssdeep	`24576:XRVwqlMORzrckZGISfmN6hUk/DtW0LeySEOC8qhjzffhXpHpSiV7:gqlMOikZGIH6hv/Dw0L1SEOyjb1x7`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "sQTTsPuKjNkrbIS" C:\Users\test22\AppData\Local\Temp\1204431452_50619973.rar
3324
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\1204431452_50619973.rar"
  4356

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 10:03 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 10:03 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 10:03 a.m.	process_identifier: 4356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2021, 10:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	Run a KeyLogger				rule	KeyLogger
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

FireEye	Trojan.Dialer.VWK
CAT-QuickHeal	Trojan.Generic.19504
McAfee	GenericRXLN-OC!FE447708F398
Zillya	Trojan.Dialer.Win32.2012
Sangfor	Malware
Arcabit	Trojan.Dialer.VWK
Baidu	Multi.Threats.InArchive
Cyren	W32/SYStroj.G.gen!Eldorado
Symantec	Trojan.Gen.NPE
ESET-NOD32	multiple detections
TrendMicro-HouseCall	DIAL_DIALER.DR
Avast	Win32:Dialer-BIA [Trj]
ClamAV	Win.Trojan.Dialer-2598
Kaspersky	Rootkit.Win32.Ressdt.hd
BitDefender	Trojan.Dialer.VWK
NANO-Antivirus	Trojan.Win32.Ressdt.saqen
ViRobot	Trojan.Win32.S.Agent.1087762
Tencent	Malware.Win32.Gencirc.10b64e2c
Emsisoft	Trojan.Dialer.VWK (B)
Comodo	TrojWare.Win32.Dialer.~BE@wg8a
F-Secure	Trojan.TR/Rootkit.Gen
DrWeb	Trojan.NtRootKit.12107
TrendMicro	DIAL_DIALER.DR
McAfee-GW-Edition	BehavesLike.PUPXAB.tc
Sophos	Troj/Agent-GTW
Jiangmin	Trojan/Dialer.ezo
Avira	TR/Rootkit.Gen
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Rootkit]/Win32.Ressdt
Kingsoft	Win32.Heur.KVMF00.hy.(kcloud)
Microsoft	Backdoor:WinNT/Farfli.E!sys
AegisLab	Trojan.Win32.Ressdt.5!c
ZoneAlarm	Rootkit.Win32.Ressdt.hd
GData	Dialer.Generic.41098
Cynet	Malicious (score: 85)
VBA32	TScope.Malware-Cryptor.SB
Rising	Backdoor.Farfli!1.6495 (CLASSIC)
Yandex	Trojan.Dialer!kluzA4RRHYc
Ikarus	Rootkit.Win32.Ressdt
MaxSecure	Trojan.Malware.31385.susgen
Fortinet	W32/Tiny.B!tr.rkit
BitDefenderTheta	AI:Packer.EAA4FEC921
AVG	Win32:Dialer-BIA [Trj]
Panda	Adware/SpywareNo
Qihoo-360	Malware.Radar05.Gen