Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 9:57 a.m.	June 25, 2021, 10:54 a.m.

Size	524.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`5a4161dea2860628bfb4498095861d2a`
SHA256	`9ffd17a68654d3474794940762417fe1bc39a5ea87ce5877daa135ac783273e8`
CRC32	`8D68B06E`
ssdeep	`3072:jLk395hYXJ3eTPVrgtmiok+HmdrdoMHMVbrHfNW8aBtnH9iOS+V1zPtfaBlkPhHR:jQqULVrgNJ1sRHfNzaBy41z1fbjP1tt`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

fcrtrtosk.exe "C:\Users\test22\AppData\Local\Temp\fcrtrtosk.exe"
7180
- fcrtrtosk.exe "C:\Users\test22\AppData\Local\Temp\fcrtrtosk.exe"
  2864

Name	Response	Post-Analysis Lookup
houseluxury-re.ch	A 80.88.87.243	80.88.87.243

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
80.88.87.243	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 25, 2021, 9:57 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 25, 2021, 9:57 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 9:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://houseluxury-re.ch/toskulo/PL341/index.php

Performs some HTTP requests (2 events)

request	POST http://houseluxury-re.ch/toskulo/PL341/index.php
request	GET http://houseluxury-re.ch/cgi-sys/suspendedpage.cgi

Sends data using the HTTP POST Method (1 event)

request

POST http://houseluxury-re.ch/toskulo/PL341/index.php

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory June 25, 2021, 9:57 a.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745e4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 25, 2021, 9:57 a.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745d4000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 25, 2021, 9:57 a.m.	process_identifier: 7180 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 56385 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00676fd8 process_handle: 0xffffffff		3221225477

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nstFE20.tmp\System.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nstFE20.tmp\System.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW June 25, 2021, 9:57 a.m.	snapshot_handle: 0x000001cc process_name: mobsync.exe process_identifier: 3268	1	1
Process32NextW June 25, 2021, 9:57 a.m.	snapshot_handle: 0x000001cc process_name: pw.exe process_identifier: 5952	1	1
Process32NextW June 25, 2021, 9:57 a.m.	snapshot_handle: 0x000001cc process_name: taskhost.exe process_identifier: 5568	1	1
Process32NextW June 25, 2021, 9:57 a.m.	snapshot_handle: 0x000001cc process_name: conhost.exe process_identifier: 4944	1	1

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 7180 called NtSetContextThread to modify thread in remote process 2864
NtSetContextThread June 25, 2021, 9:57 a.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4302468 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001e4 process_identifier: 2864	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

DrWeb	Trojan.Loader.843
MicroWorld-eScan	Gen:Variant.Bulz.522931
FireEye	Gen:Variant.Bulz.522931
CAT-QuickHeal	Trojan.Injects
ALYac	Gen:Variant.Bulz.522931
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
K7AntiVirus	Trojan ( 0057e2dc1 )
Alibaba	Trojan:Win32/FormBook.5a31e2a5
K7GW	Trojan ( 0057e2dc1 )
Cyren	W32/Ninjector.J.gen!Camelot
Symantec	Packed.Generic.610
ESET-NOD32	NSIS/Injector.AMJ
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Trojan.Tnega-9874034-0
Kaspersky	HEUR:Trojan.Win32.Injects.gen
BitDefender	Gen:Variant.Bulz.522931
Ad-Aware	Gen:Variant.Bulz.522931
Emsisoft	Gen:Variant.Bulz.522931 (B)
Comodo	Malware@#dd96r0bpc22x
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R049C0DFK21
McAfee-GW-Edition	RDN/Generic Dropper
Sophos	Mal/Generic-S
Avira	TR/AD.MoksSteal.fkvqr
MAX	malware (ai score=88)
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/FormBook.AM!MTB
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	Trojan.Bulz.D7FAB3
AegisLab	Trojan.Win32.Injects.4!c
GData	Gen:Variant.Bulz.522931
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Tnega.R426262
McAfee	RDN/Generic Dropper
VBA32	BScope.Trojan-Dropper.Injector
Malwarebytes	Spyware.LokiBot
TrendMicro-HouseCall	TROJ_GEN.R049C0DFK21
Rising	Trojan.Injector/NSIS!1.D743 (CLASSIC)
Fortinet	W32/Kryptik.J!tr
Webroot	W32.Malware.Gen
AVG	Win32:Malware-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

fcrtrtosk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All