Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 28, 2021, 5:43 p.m.	Aug. 28, 2021, 5:52 p.m.

Size	4.9MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`15478642d48681a67374167d173d4f84`
SHA256	`4e1c013bf36b27f78e0fdc7ab5a67bc3f62f33c97f5848daf40df7ec7d842fa4`
CRC32	`5A870977`
ssdeep	`98304:6jT71ntlY5xzFunCcZ2iH9oFfQPjpw6D8cKuEBQ5Qbg+db778Fm/S3DdK1NPgf6K:i3fCcZZ2VQtbXQ9A5DdK1NPgCWXaYRX7`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Rbget.exe "C:\Users\test22\AppData\Local\Temp\Rbget.exe"
2516

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.102:1234 -> 192.168.56.102:49165	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.102:49168 -> 185.215.113.102:1234	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.102:49167 -> 185.215.113.102:1234	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 192.168.56.102:49165 -> 185.215.113.102:1234	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 185.215.113.102:1234 -> 192.168.56.102:49165	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected
TCP 185.215.113.102:1234 -> 192.168.56.102:49168	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected
TCP 185.215.113.102:1234 -> 192.168.56.102:49167	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49168 185.215.113.102:1234	CN=BitRAT	CN=BitRAT	aa:a8:0d:a0:d9:fb:84:90:ca:73:1e:67:ee:78:20:7e:bf:f4:75:3c
TLS 1.2 192.168.56.102:49167 185.215.113.102:1234	CN=BitRAT	CN=BitRAT	aa:a8:0d:a0:d9:fb:84:90:ca:73:1e:67:ee:78:20:7e:bf:f4:75:3c
TLS 1.2 192.168.56.102:49165 185.215.113.102:1234	CN=BitRAT	CN=BitRAT	aa:a8:0d:a0:d9:fb:84:90:ca:73:1e:67:ee:78:20:7e:bf:f4:75:3c

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 28, 2021, 5:43 p.m.	computer_name: 噫x嬃℁Î6刺		0	0
GetComputerNameW Aug. 28, 2021, 5:44 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 28, 2021, 5:44 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.shilh

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 28, 2021, 5:43 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ba000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:43 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 2516 region_size: 4452352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 2516 region_size: 3944448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 2516 region_size: 3989504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bf0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 28, 2021, 5:44 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73582000 process_handle: 0xffffffff	1

Creates hidden or system file (19 events)

Time & API	Arguments	Status	Return
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:44 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1
SetFileAttributesW Aug. 28, 2021, 5:45 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe filepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe	1	1

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 28, 2021, 5:44 p.m.	newfilepath_r: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\\Rbget.exe newfilepath: C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\Rbget.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 28, 2021, 5:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 28, 2021, 5:44 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.102

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 28, 2021, 5:44 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Rbget.exe tried to sleep 5456776 seconds, actually delayed analysis time by 5456776 seconds

Installs itself for autorun at Windows startup (20 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GuiterX	reg_value	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\GuiterX\GuiterX.exe

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 28, 2021, 5:44 p.m.	thread_identifier: 0 callback_function: 0x02cff84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	2949821	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 28, 2021, 5:44 p.m.	thread_identifier: 0 callback_function: 0x02cba8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1966631	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37488268
FireEye	Generic.mg.15478642d48681a6
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Starter.ali2000005
BitDefenderTheta	Gen:NN.ZexaF.34110.@BX@aalOj@ii
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Agent.ACBZ
Paloalto	generic.ml
Kaspersky	Trojan.Win32.CMY3U.cpd
BitDefender	Trojan.GenericKD.37488268
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.37488268
Emsisoft	Trojan.GenericKD.37488268 (B)
DrWeb	Trojan.Siggen15.642
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S + Troj/Zbot-PMJ
Ikarus	Trojan.MeterpreterSC
Webroot	W32.Trojan.Gen
Avira	TR/Agent.hwygp
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Gridinsoft	Trojan.Win32.Generic.oa
Microsoft	Trojan:Win32/Tnega!ml
GData	Trojan.GenericKD.37488268
Cynet	Malicious (score: 100)
AhnLab-V3	Backdoor/Win.Agent.C4610946
McAfee	Artemis!15478642D486
MAX	malware (ai score=85)
VBA32	Malware-Cryptor.Limpopo
Rising	Trojan.Generic@ML.88 (RDML:A6XMfKymsms/X6FzOjW/ag)
eGambit	Unsafe.AI_Score_97%
Fortinet	W32/CMY3U.CPD!tr
AVG	FileRepMalware
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

Rbget.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All