Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 18, 2021, 11:18 a.m.	Aug. 18, 2021, 11:34 a.m.

Size	7.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a9d35b3546a908c804d177020daefcb0`
SHA256	`45193fa14de60908b958e3f268ef46457acbbe4d7b63784a8dc177a510528827`
CRC32	`C3740A96`
ssdeep	`196608:XPGZKb8EmARpfMWw93Axfy46VqPFUXd8hSXJTkWOg0rmt+kK1:+o7pa9wVaqcd8hSZkWOgOmHq`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

wango666.exe "C:\Users\test22\AppData\Local\Temp\wango666.exe"
2216
- irsetup.exe "C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\test22\AppData\Local\Temp\wango666.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3832866432-4053218753-3017428901-1001"
  1556
  - DbVisualizer.exe "C:\Users\test22\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe"
    3028
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.20	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.20:80 -> 192.168.56.101:49213	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.101:49213 -> 185.215.113.20:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 185.215.113.20:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 18, 2021, 11:18 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.20/gb9fskvS/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.20/gb9fskvS/index.php?scr=1

Performs some HTTP requests (2 events)

request	POST http://185.215.113.20/gb9fskvS/index.php
request	POST http://185.215.113.20/gb9fskvS/index.php?scr=1

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.20/gb9fskvS/index.php
request	POST http://185.215.113.20/gb9fskvS/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72792000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 18, 2021, 11:18 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x724a2000 process_handle: 0xffffffff	1	0	0

A process attempted to delay the analysis task. (1 event)

description

DbVisualizer.exe tried to sleep 339 seconds, actually delayed analysis time by 339 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Aug. 18, 2021, 11:18 a.m.	number_of_free_clusters: 3350013 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Aug. 18, 2021, 11:18 a.m.	total_number_of_free_bytes: 13719339008 free_bytes_available: 13719339008 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Aug. 18, 2021, 11:19 a.m.	total_number_of_free_bytes: 13705211904 free_bytes_available: 13705211904 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\manual.pdf

Creates executable files on the filesystem (29 events)

file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-load.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Numerics.Vectors.dll
file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-menu.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\uninstall.exe
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-toolbar.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-scripteditor.js
file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-stepsscript.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\Common.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-modals.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\SdCrashReporter.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\libEGL.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-applicationlist.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\zlibwapi.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Memory.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-applicationeditor.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\codemirror-autorefresh.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Buffers.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\libintl-8.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\MixPanel.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\VistaBridgeLibrary.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\WindowsInput.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\strokesplus-net-utilities.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\codemirror-javascript-hint.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\HTML\js\codemirror-matchbrackets.js
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\libxlt2.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe

Drops an executable to the user AppData folder (14 events)

file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\VistaBridgeLibrary.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\SdCrashReporter.dll
file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Buffers.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\libintl-8.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\Common.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\MixPanel.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Memory.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\zlibwapi.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\DbVisualizer.exe
file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\System.Numerics.Vectors.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\WindowsInput.dll
file	C:\Users\test22\AppData\Roaming\DbVisualizer Manager\libxlt2.dll

Yara rule detected in process memory (20 events)

description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.20

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 resumed a thread in remote process 1556
Process injection	Process 1556 resumed a thread in remote process 3028
NtResumeThread Aug. 18, 2021, 11:18 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 1556	1	0	0
NtResumeThread Aug. 18, 2021, 11:18 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 3028	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

MicroWorld-eScan	Trojan.GenericKD.37397275
FireEye	Generic.mg.a9d35b3546a908c8
Qihoo-360	Win32/TrojanDownloader.Generic.HgIASaMA
ALYac	Trojan.GenericKD.37397275
Sangfor	Trojan.Win32.Deyma.cdj
K7AntiVirus	Trojan ( 0057ac811 )
Alibaba	TrojanDownloader:Win32/Deyma.60588dca
K7GW	Trojan ( 0057ac811 )
Cyren	W32/Kryptik.DOL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACYJ
APEX	Malicious
ClamAV	Win.Malware.Ursu-9854581-0
Kaspersky	Trojan-Downloader.Win32.Deyma.cdj
BitDefender	Trojan.GenericKD.37397275
Avast	Win32:Trojan-gen
Ad-Aware	Trojan.GenericKD.37397275
Sophos	Mal/Generic-S
Comodo	Malware@#3ko08bgbszs5o
DrWeb	Trojan.DownLoader41.9312
Zillya	Trojan.AveMaria.Win32.17
TrendMicro	TROJ_GEN.R002C0WHG21
McAfee-GW-Edition	BehavesLike.Win32.Dropper.vc
Emsisoft	Trojan.GenericKD.37397275 (B)
Ikarus	Trojan.Win32.Agent
Kingsoft	Win32.TrojDownloader.Deyma.c.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.oa
GData	Trojan.GenericKD.37397275
AhnLab-V3	Trojan/Win.Generic.C4596125
McAfee	Artemis!A9D35B3546A9
MAX	malware (ai score=81)
VBA32	TrojanPSW.Convagent
TrendMicro-HouseCall	TROJ_GEN.R002C0WHG21
Fortinet	W32/Deyma.CDJ!tr.dldr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

wango666.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All