Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 27, 2021, 6:36 p.m.	June 27, 2021, 6:38 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fa9e57e5ba3eabc14a769739e1e97322`
SHA256	`cb548b5c9044fe8d194e4a1343085f9fbb8eeb1a270b1a7f23411cc49072dc48`
CRC32	`D73ACA26`
ssdeep	`24576:gjD+bAaMd3REebAaMd3AZwCEqwnMF0pJ6aUBRmAT1ae:gmAaMVRE2AaMVqEqwGAJ6TvmAZL`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
4244
svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkRkyrKOkSUdUU" /XML "C:\Users\test22\AppData\Local\Temp\tmpCFA8.tmp"
8084
- schtasks.exe C:\Windows\System32\schtasks.exe /Create /TN Updates\CkRkyrKOkSUdUU /XML C:\Users\test22\AppData\Local\Temp\tmpCFA8.tmp
  7772

Name	Response	Post-Analysis Lookup
b2bnetlinkOne.kozow.com	A 185.45.193.29	185.45.193.29

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.45.193.29	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 27, 2021, 6:37 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 27, 2021, 6:37 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1	0
WriteConsoleW June 27, 2021, 6:37 p.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe

Creates executable files on the filesystem (50 out of 137 events)

file	C:\Program Files (x86)\Mozilla Thunderbird\pingsender.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleUpdateBroker.exe
file	C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.32\GoogleUpdateSetup.exe
file	C:\Program Files (x86)\Hnc\HncUtils\HncUpdate.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\plugin-container.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\REGFORM.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\DSSM.EXE
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\ACCICONS.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ODSERV.EXE
file	C:\Python27\Scripts\easy_install.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpFinder.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\SELFCERT.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\PPTVIEW.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t64.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HwpPrnMng.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\maintenanceservice.exe
file	C:\Program Files (x86)\Mozilla Thunderbird\minidump-analyzer.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
file	C:\Program Files (x86)\Mozilla Thunderbird\crashreporter.exe
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\INFOPATH.EXE
file	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
file	C:\Program Files (x86)\Hnc\Common80\HncReporter.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file	C:\Program Files (x86)\Microsoft Office\Office12\1042\ONELEV.EXE
file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\notification_helper.exe
file	C:\Program Files (x86)\Hnc\Hwp80\HncPUAConverter.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORE.EXE
file	C:\Program Files (x86)\Hnc\HncDic80\HncDic.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSTORDB.EXE
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACECNFLT.EXE
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe
file	C:\Program Files (x86)\Microsoft Office\Office12\MSQRY32.EXE
file	C:\Program Files (x86)\Google\Update\1.3.36.32\GoogleCrashHandler64.exe
file	C:\util\dotnet4.5.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\schtasks.exe /Create /TN Updates\CkRkyrKOkSUdUU /XML C:\Users\test22\AppData\Local\Temp\tmpCFA8.tmp

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\101.3.34.11\ChromeRecovery.exe
file	C:\Users\test22\AppData\Local\Temp\3582-490\vbc.exe

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\System32\schtasks.exe /Create /TN Updates\CkRkyrKOkSUdUU /XML C:\Users\test22\AppData\Local\Temp\tmpCFA8.tmp

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

reg_value

C:\Windows\svchost.com "%1" %*

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.45.193.29:4207

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.NeshtaB.PE
Elastic	malicious (high confidence)
MicroWorld-eScan	Win32.Neshta.A
CAT-QuickHeal	W32.Neshta.C8
ALYac	Win32.Neshta.A
Cylance	Unsafe
Zillya	Virus.Neshta.Win32.1
Sangfor	Win.Trojan.Neshuta-1
K7AntiVirus	Virus ( 00556e571 )
K7GW	Virus ( 00556e571 )
Cybereason	malicious.5ba3ea
Arcabit	Win32.Neshta.A
BitDefenderTheta	AI:FileInfector.D5C3B0640E
Cyren	W32/Neshta.OBIX-2981
Symantec	W32.Neshuta
ESET-NOD32	Win32/Neshta.A
Baidu	Win32.Virus.Neshta.a
TrendMicro-HouseCall	PE_NESHTA.A
Avast	Win32:Apanas [Trj]
ClamAV	Win.Trojan.Neshuta-1
Kaspersky	Virus.Win32.Neshta.a
BitDefender	Win32.Neshta.A
NANO-Antivirus	Trojan.Win32.Winlock.fmobyw
ViRobot	Win32.Neshta.Gen.A
Tencent	Virus.Win32.Neshta.a
Ad-Aware	Win32.Neshta.A
Emsisoft	Win32.Neshta.A (B)
Comodo	Win32.Neshta.A@3ypg
DrWeb	Win32.HLLP.Neshta
VIPRE	Virus.Win32.Neshta.a (v)
TrendMicro	PE_NESHTA.A
McAfee-GW-Edition	BehavesLike.Win32.Wabot.tc
FireEye	Generic.mg.fa9e57e5ba3eabc1
Sophos	ML/PE-A + W32/Neshta-D
APEX	Malicious
Jiangmin	Virus.Neshta.a
Avira	W32/Neshta.A
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Generic.ASVirus.20D
Gridinsoft	Virus.Neshta.A.sd!yf
Microsoft	Virus:Win32/Neshta.A
GData	Win32.Virus.Neshta.D
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Neshta
Acronis	suspicious
McAfee	W32/HLLP.41472.e
TACHYON	Virus/W32.Neshta
VBA32	Virus.Win32.Neshta.a
Malwarebytes	Neshta.Virus.FileInfector.DDS
Ikarus	Virus.Win32.Neshta

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All