Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2021, 8:50 a.m.	Sept. 23, 2021, 9:05 a.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`19892e4eaa5acc4d15853a76566ac7c5`
SHA256	`4f57c0096974f1d6feca433908c0267355a418893145ffb43a66de5ddf7be9e1`
CRC32	`BAAB9D29`
ssdeep	`24576:UZUwXfHfdrWqVn6tnFE2A8ZF6Qm+pKVGo9fcwDLMQG+j2XlR:Cf/RCGmdpKJ9fc1Y2f`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

bie.exe "C:\Users\test22\AppData\Local\Temp\bie.exe"
112
- taskkill.exe Taskkill /F /IM DbSecuritySpt.exe
  1836
- taskkill.exe Taskkill /F /IM Bill.exe
  2112
- taskkill.exe Taskkill /F /IM svch0st.exe
  2200

Name	Response	Post-Analysis Lookup
300gsyn.it	A 155.94.178.138	155.94.178.138

IP Address	Status	Action
155.94.178.138	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 23, 2021, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 23, 2021, 8:50 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 23, 2021, 8:50 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 23, 2021, 8:50 a.m.	buffer: ERROR: The process "DbSecuritySpt.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2021, 8:50 a.m.	buffer: ERROR: The process "Bill.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2021, 8:50 a.m.	buffer: ERROR: The process "svch0st.exe" not found. console_handle: 0x0000000b	1	1

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

EXE

Foreign language identified in PE resource (9 events)

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

name

EXE

language

LANG_CHINESE

filetype

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00133e48

size

0x0000ec00

Creates executable files on the filesystem (3 events)

file	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe
file	C:\Program Files\DbSecuritySpt\Packet.dll
file	C:\Program Files\DbSecuritySpt\SESDKDummy64.dll

Creates a service (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Sept. 23, 2021, 8:50 a.m.	service_start_name: start_type: 2 password: display_name: filepath: C:\Program Files\DbSecuritySpt\npf.sys service_name: NPF filepath_r: C:\Program Files\DbSecuritySpt\npf.sys desired_access: 983551 service_handle: 0x0098b900 error_control: 1 service_type: 1 service_manager_handle: 0x0098b720	1	10008832	0
CreateServiceA Sept. 23, 2021, 8:50 a.m.	service_start_name: start_type: 2 password: display_name: filepath: C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe service_name: DbSecuritySpt filepath_r: C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe desired_access: 983551 service_handle: 0x0098b5b8 error_control: 1 service_type: 16 service_manager_handle: 0x0098b720	1	10007992	0

Executes one or more WMI queries (3 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DbSecuritySpt.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "svch0st.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Bill.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 23, 2021, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 23, 2021, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Sept. 23, 2021, 8:50 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	Taskkill /F /IM svch0st.exe
cmdline	Taskkill /F /IM DbSecuritySpt.exe
cmdline	Taskkill /F /IM Bill.exe

Installs itself for autorun at Windows startup (2 events)

service_name	NPF				service_path	C:\Program Files\DbSecuritySpt\npf.sys
service_name	DbSecuritySpt				service_path	C:\Program Files\DbSecuritySpt\DbSecuritySpt.exe

Installs WinPCAP (2 events)

file	C:\Program Files\DbSecuritySpt\Packet.dll
file	C:\Program Files\DbSecuritySpt\npf.sys

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Reconyc.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Agent.CGMR
FireEye	Generic.mg.19892e4eaa5acc4d
CAT-QuickHeal	Trojan.WebToos.S18562
ALYac	Trojan.Agent.CGMR
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	RootKit ( 0055e3fe1 )
Alibaba	Trojan:Win32/WebToos.ba270fa0
K7GW	RootKit ( 0055e3fe1 )
Cybereason	malicious.eaa5ac
Arcabit	Trojan.Agent.CGMR
Baidu	Win32.Rootkit.Agent.at
Cyren	W32/WebToos.B.gen!Eldorado
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Gadoopt-2
Kaspersky	Trojan.Win32.Reconyc.esql
BitDefender	Trojan.Agent.CGMR
NANO-Antivirus	Trojan.Win32.Reconyc.exhhog
SUPERAntiSpyware	Trojan.Agent/Gen-Backdoor
Avast	Win32:Prockill-A [Rtk]
Tencent	Malware.Win32.Gencirc.10b54e8b
Ad-Aware	Trojan.Agent.CGMR
Emsisoft	Trojan.Agent.CGMR (B)
DrWeb	BackDoor.Gates.8
Zillya	Rootkit.Agent.Win32.15968
TrendMicro	TROJ_WEBTOOS.SM
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Sophos	ML/PE-A
Ikarus	Backdoor.Win32.Agent
Jiangmin	Trojan/Reconyc.eyd
Webroot	W32.Trojan.Gadoopt-1
Avira	TR/Agent.14016.2
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.A3CBB3
Gridinsoft	Rootkit.Win32.Agent.bot!s1
Microsoft	Trojan:Win32/WebToos.A
ViRobot	Backdoor.Win32.Agent.1315840.A
GData	Trojan.Agent.CGMR
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Webtoos.C1040590
McAfee	GenericRXDY-OY!19892E4EAA5A
TACHYON	Trojan/W32.Rootkit.1315840
VBA32	Backdoor.Gates
Malwarebytes	Trojan.WebToos
TrendMicro-HouseCall	TROJ_WEBTOOS.SM

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (22 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49217
dead_host	155.94.178.138:25006
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49210
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49214

bie.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All