Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.16 06:11
티오더, 메뉴 사진 무료 촬영 서비스 진행
11.16 06:11
WiFi Status Indicator ...
11.16 06:11
PAN-OS Firewall Vulner...
11.16 06:11
Dahua und Delo vereine...
11.16 05:11
NSO 그룹, 소송 중에도 ‘페가수스’로...
11.16 04:11
Warning: DEEPDATA Malw...
11.16 03:11
It’s a Soldering Iron!...
11.16 12:11
Critical Unauthenticat...
11.16 12:11
BASIC Co-Inventor Thom...
11.16 09:11
존쿡 델리미트 외식 매장서 ‘연말맞이 다...

Summary | ZeroBOX

safman_setup.exe

Gen1 Malicious Library UPX PE64 PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 25, 2021, 10:20 a.m.	Aug. 25, 2021, 10:22 a.m.

Size	7.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`72bbac2c87dff558073e6306f1552a39`
SHA256	`2ecb4724f6f253e573bf038b47709f88c862fd19741a1c65da13d45b597a2097`
CRC32	`82D2F7CE`
ssdeep	`196608:TNw5s8BKUnGIt4BPiVIr3vI8CDSuhJmqs31hCbR3nN:TC5z3GfI8tip+sbR3nN`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

safman_setup.exe "C:\Users\test22\AppData\Local\Temp\safman_setup.exe"
2444
- safman_setup.tmp "C:\Users\test22\AppData\Local\Temp\is-JQCE0.tmp\safman_setup.tmp" /SL5="$E021E,7189898,67584,C:\Users\test22\AppData\Local\Temp\safman_setup.exe"
  2384
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2021, 10:20 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2021, 10:20 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 28672 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72972000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 25, 2021, 10:20 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72972000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Aug. 25, 2021, 10:20 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8456473196824849641 root_path: C:\SAF\SAFMan\ total_number_of_bytes: 4294967295		0	0
GetDiskFreeSpaceExW Aug. 25, 2021, 10:20 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8456473196824849641 root_path: C:\SAF\ total_number_of_bytes: 4294967295		0	0
GetDiskFreeSpaceExW Aug. 25, 2021, 10:20 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13718827008 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Aug. 25, 2021, 10:21 a.m.	total_number_of_free_bytes: 13719785472 free_bytes_available: 13719785472 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-JQCE0.tmp\safman_setup.tmp

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Aug. 25, 2021, 10:20 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{EC86EEC2-8263-45A7-A949-7D75E2AE5FA9}}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EC86EEC2-8263-45A7-A949-7D75E2AE5FA9}}_is1		2	0
RegOpenKeyExA Aug. 25, 2021, 10:20 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{EC86EEC2-8263-45A7-A949-7D75E2AE5FA9}}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EC86EEC2-8263-45A7-A949-7D75E2AE5FA9}}_is1		2	0

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

McAfee	Artemis!72BBAC2C87DF
Sangfor	Trojan.Win32.Snojan.ctov
Alibaba	Trojan:Win32/Snojan.530ca4bd
Symantec	Trojan.Gen.2
APEX	Malicious
Kaspersky	Trojan.Win32.Snojan.ctov
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Dropper.wc
Jiangmin	Trojan.Snojan.dqb
Microsoft	Trojan:Win32/Zpevdo.B
VBA32	Trojan.Snojan
Tencent	Win32.Trojan.Snojan.Ahot
Fortinet	W32/Snojan.CTOV!tr