Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 29, 2021, 12:38 p.m.	Aug. 29, 2021, 12:42 p.m.

Size	4.8MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`b42b568e5b6056dc84df89494d7b68c7`
SHA256	`59d926026fc65ebc3b130a9f65c65676e75eb523482ca81d9a4379eecad68685`
CRC32	`AB35B1E3`
ssdeep	`49152:wfGHhtTcVMgg7WK8eHUsCOTpHYuxaHD3363spPYgfEXcKiWaUN4tEmoawrh6Gjgk:weXc4Tp4uQDH63spPYgfswrfJAiV`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

vpn_client.exe "C:\Users\test22\AppData\Local\Temp\vpn_client.exe"
1800
- cmd.exe cmd.exe /c "netsh wlan show networks mode=bssid"
  3068
  - netsh.exe netsh wlan show networks mode=bssid
    684
- cmd.exe cmd.exe /c "arp -a"
  1312
  - ARP.EXE arp -a
    2252
- cmd.exe cmd.exe /c "netstat -ano -p TCP"
  508
  - NETSTAT.EXE netstat -ano -p TCP
    2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
111.200.45.121	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 111.200.45.121:80	2024897	ET USER_AGENTS Go HTTP Client User-Agent	Misc activity
TCP 192.168.56.102:49170 -> 111.200.45.121:80	2019003	ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND	A Network Trojan was detected
TCP 192.168.56.102:49170 -> 111.200.45.121:80	2019080	ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 29, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 29, 2021, 12:38 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 29, 2021, 12:38 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://111.200.45.121:80/upload_info/

Performs some HTTP requests (1 event)

request

POST http://111.200.45.121:80/upload_info/

Sends data using the HTTP POST Method (1 event)

request

POST http://111.200.45.121:80/upload_info/

Creates a suspicious process (3 events)

cmdline	cmd.exe /c "netstat -ano -p TCP"
cmdline	cmd.exe /c "arp -a"
cmdline	cmd.exe /c "netsh wlan show networks mode=bssid"

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 29, 2021, 12:38 p.m.	snapshot_handle: 0x00000248 process_name: mobsync.exe process_identifier: 1384	1	1
Process32NextW Aug. 29, 2021, 12:38 p.m.	snapshot_handle: 0x00000248 process_name: pw.exe process_identifier: 2668	1	1
Process32NextW Aug. 29, 2021, 12:38 p.m.	snapshot_handle: 0x00000248 process_name: taskhost.exe process_identifier: 1812	1	1
Process32NextW Aug. 29, 2021, 12:38 p.m.	snapshot_handle: 0x00000248 process_name: SearchFilterHost.exe process_identifier: 876	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 29, 2021, 12:38 p.m.	flags: 16 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 29, 2021, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 29, 2021, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 29, 2021, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	netstat -ano -p TCP
cmdline	cmd.exe /c "netstat -ano -p TCP"
cmdline	netsh wlan show networks mode=bssid
cmdline	cmd.exe /c "netsh wlan show networks mode=bssid"

Communicates with host for which no DNS query was performed (1 event)

host

111.200.45.121

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 29, 2021, 12:38 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Expresses interest in specific running processes (25 events)

process	dwm.exe
process: potential process injection target	csrss.exe
process	imedictupdate.exe
process: potential process injection target	wininit.exe
process	searchprotocolhost.exe
process: potential process injection target	winlogon.exe
process	system
process	vpn_client.exe
process: potential process injection target	explorer.exe
process	conhost.exe
process: potential process injection target	smss.exe
process	searchfilterhost.exe
process	taskhost.exe
process	audiodg.exe
process	mobsync.exe
process: potential process injection target	svchost.exe
process	cmd.exe
process	pw.exe
process	lsm.exe
process: potential process injection target	lsass.exe
process: potential process injection target	services.exe
process	searchindexer.exe
process	spoolsv.exe
process	wmiprvse.exe
process	taskeng.exe

Collects information on the system (ipconfig, netstat, systeminfo) (1 event)

cmdline

cmd.exe /c "netstat -ano -p TCP"

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Aug. 29, 2021, 12:38 p.m.	ordinal: 0 function_address: 0x0018fe3f function_name: wine_get_version module: ntdll module_address: 0x77ae0000		3221225785	0

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000184	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 1800	1	0
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000184	1	0
NtSetContextThread Aug. 29, 2021, 12:38 p.m.	registers.eip: 4571616 registers.esp: 310868764 registers.edi: 0 registers.eax: 0 registers.ebp: 6 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000184 process_identifier: 1800	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 1800	1	0
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c	1	0
NtSetContextThread Aug. 29, 2021, 12:38 p.m.	registers.eip: 4571616 registers.esp: 310868712 registers.edi: 0 registers.eax: 0 registers.ebp: 310649984 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000018c process_identifier: 1800	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1800	1	0
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c	1	0
NtSetContextThread Aug. 29, 2021, 12:38 p.m.	registers.eip: 4571616 registers.esp: 310868876 registers.edi: 0 registers.eax: 0 registers.ebp: 311700609 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000018c process_identifier: 1800	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1800	1	0
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c	1	0
NtSetContextThread Aug. 29, 2021, 12:38 p.m.	registers.eip: 4571616 registers.esp: 310868876 registers.edi: 0 registers.eax: 0 registers.ebp: 3 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000018c process_identifier: 1800	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1800	1	0
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 2140 thread_handle: 0x00000284 process_identifier: 3068 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd.exe /c "netsh wlan show networks mode=bssid" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 1024 (CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x00000288	1	1
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 1108 thread_handle: 0x000002a0 process_identifier: 1312 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd.exe /c "arp -a" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 1024 (CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x000002a4	1	1
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 276 thread_handle: 0x0000029c process_identifier: 508 current_directory: filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd.exe /c "netstat -ano -p TCP" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 1024 (CREATE_UNICODE_ENVIRONMENT) inherit_handles: 1 process_handle: 0x000002a0	1	1
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000028c	1	0
NtSetContextThread Aug. 29, 2021, 12:38 p.m.	registers.eip: 4571616 registers.esp: 318274096 registers.edi: 0 registers.eax: 0 registers.ebp: 2 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000028c process_identifier: 1800	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1800	1	0
NtGetContextThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000028c	1	0
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 1800	1	0
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 1644 thread_handle: 0x00000084 process_identifier: 684 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\netsh.exe track: 1 command_line: netsh wlan show networks mode=bssid filepath_r: C:\Windows\system32\netsh.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 684	1	0
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 2168 thread_handle: 0x00000084 process_identifier: 2252 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\ARP.EXE track: 1 command_line: arp -a filepath_r: C:\Windows\system32\ARP.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Aug. 29, 2021, 12:38 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW Aug. 29, 2021, 12:38 p.m.	thread_identifier: 1776 thread_handle: 0x00000084 process_identifier: 2212 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\NETSTAT.EXE track: 1 command_line: netstat -ano -p TCP filepath_r: C:\Windows\system32\NETSTAT.EXE stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.Agent.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37474893
FireEye	Trojan.GenericKD.37474893
ALYac	Trojan.GenericKD.37474893
Cylance	Unsafe
Sangfor	Spyware.Win32.Agent.jzbs
Alibaba	TrojanSpy:Win32/XPACK.1f0a7c27
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.Agent.jzbs
BitDefender	Trojan.GenericKD.37474893
Avast	Win32:Malware-gen
Tencent	Win32.Trojan-spy.Agent.Pcsh
Ad-Aware	Trojan.GenericKD.37474893
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.TrojanVeil.rh
Emsisoft	Trojan.GenericKD.37474893 (B)
Jiangmin	TrojanSpy.Agent.aeuo
Avira	TR/Crypt.XPACK.Gen
MAX	malware (ai score=85)
Kingsoft	Win32.Troj.Agent.jz.(kcloud)
Microsoft	Trojan:Win32/Wacatac.B!ml
Arcabit	Trojan.Generic.D23BD24D
GData	Trojan.GenericKD.37474893
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C4443231
McAfee	GenericRXAA-AA!B42B568E5B60
Malwarebytes	Malware.AI.2779188549
Rising	Trojan.Generic@ML.98 (RDMK:bonnXIpeH4ftqcE9yEwxYw)
Ikarus	Trojan.Crypt
Fortinet	W32/Agent.JZBS!tr
BitDefenderTheta	AI:Packer.E673164321
AVG	Win32:Malware-gen
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.117045574.susgen

vpn_client.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All