Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 29, 2021, 10:31 a.m.	June 29, 2021, 10:31 a.m.

Size	564.4KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`145e3c224e4ecaf26d4638efb9d622a7`
SHA256	`9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89`
CRC32	`9250A24F`
ssdeep	`6144:+zhRwaGlf2ofbRuNPMxJZWWXR6UVUmxTOdbRnveIks9HRizWtlJVv:+zLE3TRuNP8cU0UVUCINWns9QW/JVv`
Yara	OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file MAL_Netfilter_Dropper_Jun_2021_1 - Detect the dropper of Netfilter rootkit

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe "C:\Users\test22\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe"
112
- regini.exe "C:\Windows\System32\regini.exe" configure.xalm
  2256

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.113.202.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.113.202.180:608 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.113.202.180:608 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netfilter console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: ErrorControl console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: REG_DWORD 0x00000001 console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: ImagePath console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: \??\C:\Users\test22\AppData\Roaming\netfilter.sys console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: Start console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: REG_DWORD 0x00000003 console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: Type console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:31 a.m.	buffer: REG_DWORD 0x00000001 console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.00cfg
section	.voltbl

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 29, 2021, 10:31 a.m.	show_type: 0 filepath_r: regini parameters: configure.xalm filepath: regini	1	1	0

An executable file was downloaded by the process 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 29, 2021, 10:30 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $yW¾D=6Ð=6Ð=6Ð4NX>6Ð4NC?6Ð)]Ö<6Ð)]Ó96Ð)]Ô86Ð)]Ñ:6Ð=6ÑM6ÐäBÕ/6ÐäBÒ<6ÐRich=6ÐPEd®Â`ð"vÖ @ Ø°`Ad`dP0¾!p(¨8àh.text"gh h.rdataül@H.data»*\|@È.pdata0P¦@HINIT¸`® b.reloc(p¼@BHì(H µ§èÀLá8H¢§H ³8HÄ(éaÌÌéËÿÿÿÌÌÌÌÌÌÌÌÌÌÌHì(H8HÀtHéÿÿÿH;ÂtÿÐHÄ(éÿÿÿÌÌÌÌÌÌÌÌÌH\$Hl$Ht$WHì 3íHòHùH;Íu3Éè¸éà¸H W8H (8f#8HR8f-8H8ÿfrL 8Là¦Hñ7HÏèa`;ÅH Â¦èM;ÅØ\|mèÒHÖHÏè7;ÅØ\|WHÒ7@8h0t$Hµ7H9ohHEGhH¥7HöþÿÿHGhë"ö@tH[1H7HÅþÿÿHF13ÀëèþÿÿÃH\$0Hl$8Ht$@HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HÚHùèKNHÓHÏH\$0HÄ _é¦þÿÿÌÌÌÌÌÌH\$WHì H'¦HùH ¦H¦H;ÁtEH;Øw@HC@HÀtLì6H ]_LËH×ÿÐëHÔ6LÃHÏèA_HÃPH;Î¥vÀH\$0HÄ _ÃÌÌÌÌÌÌÌÌÌH\$Ht$WHì Hù3ÀH¥H5¥H;ÞsN;PuDHC8H¥HÀtLe6H Æ^LËH×ÿÐëHM6LÃHÏèª^ÀxHÃPë²¸ÀH\$0Ht$8HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌH\$WHì H/¥H (¥H;Ás<H+ÈH¸ÍÌÌÌÌÌÌÌH/¥HÿÉH÷áHúHÁïHÿÇHHÀtÿÐHCøHÃ(HïuèH\$0HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌ@UH¬$°ûÿÿHìPHH¤H3ÄH@3ÒHM@A¸èý`3ÒHL$@A¸ÿèë`WÀHM@ºD$0è½ÀtnHU@HL$0ÿoLD$ HT$(HL$0è Àx4HL$(HÉt=T$ LD$@è.HL$(ºQaxXÿBoH request_handle: 0x00cc000c	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007e800', u'virtual_address': u'0x00001000', u'entropy': 6.868642366003943, u'name': u'.text', u'virtual_size': u'0x0007e67b'}

entropy

6.868642366

description

A section with a high entropy has been found

entropy

0.908438061041

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 29, 2021, 10:31 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

45.113.202.180

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netfilter\ImagePath

reg_value

\??\C:\Users\test22\AppData\Roaming\netfilter.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 29, 2021, 10:31 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\netfilter		3221226536	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 112 resumed a thread in remote process 2256
NtResumeThread June 29, 2021, 10:31 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2256	1	0	0

Stops Windows services (1 event)

service

netfilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netfilter\Start)

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
CAT-QuickHeal	Trojan.Agent
ALYac	Trojan.Downloader.Stantinko
Malwarebytes	Rootkit.NetFilter
Zillya	Trojan.Agent.Win32.1932079
Sangfor	Trojan.Win32.Agent.gen
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Ransom:MSIL/Redcap.d82d6a39
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.24e4ec
Arcabit	Trojan.Razy.DD6D6E
Cyren	W32/Trojan.GXDA-5735
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FSE
APEX	Malicious
Avast	Win32:Malware-gen
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Gen:Variant.Razy.879982
Paloalto	generic.ml
MicroWorld-eScan	Gen:Variant.Razy.879982
Tencent	Win32.Trojan.Agent.Dwju
Ad-Aware	Gen:Variant.Razy.879982
Sophos	Mal/Generic-S
Comodo	Malware@#wv4raa3b2g59
DrWeb	Trojan.DownLoader38.23442
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win32.FETNILTER.A
McAfee-GW-Edition	RDN/Ransom
FireEye	Generic.mg.145e3c224e4ecaf2
Emsisoft	Gen:Variant.Razy.879982 (B)
Ikarus	Ransom.MSIL.Gorf
Jiangmin	Trojan.Agent.dfmd
Webroot	W32.Trojan.Gen
Avira	TR/Redcap.npxau
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Generic.ASMalwS.3251287
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
AegisLab	Trojan.Win32.Agent.4!c
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Gen:Variant.Razy.879982
AhnLab-V3	Ransomware/Win.Gorf.C4537430
Acronis	suspicious
McAfee	RDN/Ransom
VBA32	suspected of Trojan.Downloader.gen
Cylance	Unsafe
TrendMicro-HouseCall	Trojan.Win32.FETNILTER.A
Rising	Downloader.Agent!1.D6F8 (CLASSIC)

9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All