Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 29, 2021, 10:42 a.m.	June 29, 2021, 10:42 a.m.

Size	9.5KB
Type	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`8bf00ef4dd6bb308c76849901b03ccbd`
SHA256	`a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4`
CRC32	`0EF9DF7E`
ssdeep	`192:oCaQ3qaG3GO/pfg9m3CJ3Mc+YeZBkvmKI7H:o5Nt/Vg9m3CJ3qZ0jI7`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature MAL_Netfilter_Dropper_Jun_2021_1 - Detect the dropper of Netfilter rootkit

97e6dac4.exe "C:\Users\test22\AppData\Local\Temp\97e6dac4.exe"
3024
- regini.exe "C:\Windows\System32\regini.exe" c.xalm
  596

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.113.202.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.113.202.180:608 -> 192.168.56.101:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.113.202.180:608 -> 192.168.56.101:49198	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netfilter console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: ErrorControl console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: REG_DWORD 0x00000001 console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: ImagePath console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: \??\C:\Users\test22\AppData\Roaming\netfilter.sys console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: Start console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: REG_DWORD 0x00000003 console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: Type console_handle: 0x00000007	1	1
WriteConsoleA June 29, 2021, 10:42 a.m.	buffer: REG_DWORD 0x00000001 console_handle: 0x00000007	1	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 29, 2021, 10:42 a.m.	show_type: 0 filepath_r: regini parameters: c.xalm filepath: regini	1	1	0

An executable file was downloaded by the process 97e6dac4.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile June 29, 2021, 10:42 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $yW¾D=6Ð=6Ð=6Ð4NX>6Ð4NC?6Ð)]Ö<6Ð)]Ó96Ð)]Ô86Ð)]Ñ:6Ð=6ÑM6ÐäBÕ/6ÐäBÒ<6ÐRich=6ÐPEd®Â`ð"vÖ @ Ø°`Ad`dP0¾!p(¨8àh.text"gh h.rdataül@H.data»*\|@È.pdata0P¦@HINIT¸`® b.reloc(p¼@BHì(H µ§èÀLá8H¢§H ³8HÄ(éaÌÌéËÿÿÿÌÌÌÌÌÌÌÌÌÌÌHì(H8HÀtHéÿÿÿH;ÂtÿÐHÄ(éÿÿÿÌÌÌÌÌÌÌÌÌH\$Hl$Ht$WHì 3íHòHùH;Íu3Éè¸éà¸H W8H (8f#8HR8f-8H8ÿfrL 8Là¦Hñ7HÏèa`;ÅH Â¦èM;ÅØ\|mèÒHÖHÏè7;ÅØ\|WHÒ7@8h0t$Hµ7H9ohHEGhH¥7HöþÿÿHGhë"ö@tH[1H7HÅþÿÿHF13ÀëèþÿÿÃH\$0Hl$8Ht$@HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌH\$WHì HÚHùèKNHÓHÏH\$0HÄ _é¦þÿÿÌÌÌÌÌÌH\$WHì H'¦HùH ¦H¦H;ÁtEH;Øw@HC@HÀtLì6H ]_LËH×ÿÐëHÔ6LÃHÏèA_HÃPH;Î¥vÀH\$0HÄ _ÃÌÌÌÌÌÌÌÌÌH\$Ht$WHì Hù3ÀH¥H5¥H;ÞsN;PuDHC8H¥HÀtLe6H Æ^LËH×ÿÐëHM6LÃHÏèª^ÀxHÃPë²¸ÀH\$0Ht$8HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌH\$WHì H/¥H (¥H;Ás<H+ÈH¸ÍÌÌÌÌÌÌÌH/¥HÿÉH÷áHúHÁïHÿÇHHÀtÿÐHCøHÃ(HïuèH\$0HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌ@UH¬$°ûÿÿHìPHH¤H3ÄH@3ÒHM@A¸èý`3ÒHL$@A¸ÿèë`WÀHM@ºD$0è½ÀtnHU@HL$0ÿoLD$ HT$(HL$0è Àx4HL$(HÉt=T$ LD$@è.HL$(ºQaxXÿBoH request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 29, 2021, 10:42 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

45.113.202.180

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netfilter\ImagePath

reg_value

\??\C:\Users\test22\AppData\Roaming\netfilter.sys

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver June 29, 2021, 10:42 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\netfilter		3221226536	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 resumed a thread in remote process 596
NtResumeThread June 29, 2021, 10:42 a.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 596	1	0	0

Stops Windows services (1 event)

service

netfilter (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netfilter\Start)

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader40.4568
MicroWorld-eScan	Gen:Variant.Doina.16943
FireEye	Generic.mg.8bf00ef4dd6bb308
CAT-QuickHeal	TrojanDownloader.Stantinko
McAfee	RDN/Generic Downloader.x
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanDownloader:Win32/Stantinko.c178e677
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Doina.D422F
BitDefenderTheta	AI:Packer.D462FD1F1E
Cyren	W32/Trojan.NOPC-7236
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.FSE
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	Trojan-Downloader.Win32.Stantinko.gjwx
BitDefender	Gen:Variant.Doina.16943
NANO-Antivirus	Trojan.Win32.Stantinko.iwcpys
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.kYXw
Tencent	Win32.Trojan-downloader.Stantinko.Efky
Ad-Aware	Gen:Variant.Doina.16943
Sophos	Mal/Generic-S
Comodo	Malware@#bsi9vm83cw79
Zillya	Downloader.Stantinko.Win32.29873
TrendMicro	Trojan.Win32.FETNILTER.A
McAfee-GW-Edition	RDN/Generic Downloader.x
Emsisoft	Gen:Variant.Doina.16943 (B)
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Stantinko.ejntd
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Generic.ASMalwS.339A434
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	TrojanDownloader:Win32/Retliften.B
ViRobot	Trojan.Win32.Z.Undef.9728
ZoneAlarm	Trojan-Downloader.Win32.Stantinko.gjwx
GData	Gen:Variant.Doina.16943
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Generic.C4513081
VBA32	suspected of Trojan.Downloader.gen
ALYac	Trojan.Downloader.Stantinko
Malwarebytes	Rootkit.NetFilter
TrendMicro-HouseCall	Trojan.Win32.FETNILTER.A
Rising	Downloader.Agent!1.D6F8 (CLASSIC)
Yandex	Trojan.DL.Stantinko!HtkSy/U/qyY
Ikarus	Trojan-Downloader.Stantinko

97e6dac4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All