Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2021, 6:57 p.m.	Aug. 30, 2021, 7:02 p.m.

Size	93.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0cb653b63f1f96cc5b362096cede91e4`
SHA256	`07a7e8b55aae7e593602a7dc0e67dbf0debb3ccd4c4d769d7fab0e34a675b4e7`
CRC32	`6E721F50`
ssdeep	`1536:QY2QC8OoJlCnnynKkM3tsevTzPk2EMpr4aHUl:T2QqoXCyxqsebzIMNv0l`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description)

AXC.exe "C:\Users\test22\AppData\Local\Temp\AXC.exe"
1868
- AXC.exe "C:\Users\test22\AppData\Local\Temp\AXC.exe"
  2112
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\install.vbs"
    2412
    - cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\vlc.exe"
      2768
      - vlc.exe C:\Users\test22\AppData\Roaming\vlc.exe
        1768
        
        vlc.exe C:\Users\test22\AppData\Roaming\vlc.exe
        1556

Name	Response	Post-Analysis Lookup
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu	A 78.129.249.105	78.129.249.105

IP Address	Status	Action
103.133.111.149	Active	Moloch
164.124.101.2	Active	Moloch
78.129.249.105	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49208 -> 103.133.111.149:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 192.168.56.101:49202 -> 103.133.111.149:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 30, 2021, 6:57 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://103.133.111.149/Gee_remcos%202020_eborUv118.bin

Performs some HTTP requests (1 event)

request

GET http://103.133.111.149/Gee_remcos%202020_eborUv118.bin

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1868 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:58 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:58 p.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:58 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:58 p.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 30, 2021, 6:58 p.m.	process_identifier: 1768 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:59 p.m.	process_identifier: 1768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 30, 2021, 6:59 p.m.	process_identifier: 1556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 876544 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\vlc.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 30, 2021, 6:58 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\install.vbs parameters: filepath: C:\Users\test22\AppData\Local\Temp\install.vbs	1	1	0
ShellExecuteExW Aug. 30, 2021, 6:58 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Roaming\vlc.exe" filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 30, 2021, 6:57 p.m.	process_identifier: 1868 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

103.133.111.149

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusA Aug. 30, 2021, 6:58 p.m.	service_handle: 0x00546300 service_type: 48 service_status: 3		0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\vlc.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win				reg_value	"C:\Users\test22\AppData\Roaming\vlc.exe"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\install.vbs

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Aug. 30, 2021, 6:59 p.m.	thread_identifier: 0 callback_function: 0x004052ba hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	1376483	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Roaming\vlc.exe"
parent_process	wscript.exe				martian_process	cmd /c "C:\Users\test22\AppData\Roaming\vlc.exe"

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.Win32.Stealer.l!c
McAfee	Artemis!0CB653B63F1F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.633b6e
BitDefenderTheta	Gen:NN.ZevbaF.34110.fm1@aiXW4Zp
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win32/GenKryptik.FJQA
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan.Win32.Mucc
Avast	FileRepMalware
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
eGambit	Unsafe.AI_Score_100%
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 100)
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_80% (W)

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

78.129.249.105:2017

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

AXC.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All