Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 28, 2021, 1:45 p.m.	Sept. 28, 2021, 2:04 p.m.

Size	711.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7c48019f424bbd08de9d0c7d66e0ea7c`
SHA256	`33d15dacd2b4951517f39aa2e12afa747ddc5785b0ef3c2d78c3db16cae97d7c`
CRC32	`FA0F1C2D`
ssdeep	`12288:cncY5ozinnbUiFGMWR9wWmrJdLI05xzFlcNQyVp9uGjOL6N3nd:QozYbhW5mrzk05xzFlcRjuzc3d`
PDB Path	C:\mewikuti75\kecinulel\nahil\xutir-temexado-weribayidob.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
3068
- build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
  1612

Name	Response	Post-Analysis Lookup
mas.to	A 88.99.75.82	88.99.75.82

IP Address	Status	Action
164.124.101.2	Active	Moloch
88.99.75.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:52062 -> 164.124.101.2:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 88.99.75.82:443 -> 192.168.56.102:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 28, 2021, 1:45 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\mewikuti75\kecinulel\nahil\xutir-temexado-weribayidob.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

HOXOVIGUBUPUWILUSI

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 28, 2021, 1:45 p.m.	stacktrace: exception.instruction_r: 8a 08 40 3a cb 75 f9 2b c2 50 56 b9 5c 10 4d 00 exception.symbol: build2+0x106e0 exception.instruction: mov cl, byte ptr [eax] exception.module: build2.exe exception.exception_code: 0xc0000005 exception.offset: 67296 exception.address: 0x4106e0 registers.esp: 1637032 registers.edi: 0 registers.eax: 0 registers.ebp: 16 registers.edx: 1 registers.ebx: 0 registers.esi: 0 registers.ecx: 1637060	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 507904 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d89000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 3068 region_size: 868352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007be00', u'virtual_address': u'0x00023000', u'entropy': 7.9889131685860875, u'name': u'.data', u'virtual_size': u'0x027c0f00'}

entropy

7.98891316859

description

A section with a high entropy has been found

entropy

0.697396199859

description

Overall entropy of this PE file is high

Yara rule detected in process memory (12 events)

description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Take ScreenShot	rule	ScreenShot
description	browser info stealer	rule	infoStealer_browser_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 1612 region_size: 880640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 28, 2021, 1:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1612 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 called NtSetContextThread to modify thread in remote process 1612
NtSetContextThread Sept. 28, 2021, 1:45 p.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4850477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1612	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 resumed a thread in remote process 1612
NtResumeThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1612	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 28, 2021, 1:45 p.m.	thread_identifier: 1080 thread_handle: 0x0000007c process_identifier: 1612 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 28, 2021, 1:45 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1612 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 1612 region_size: 880640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 28, 2021, 1:45 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1612 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 28, 2021, 1:45 p.m.	registers.eip: 2007957956 registers.esp: 1638384 registers.edi: 0 registers.eax: 4850477 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1612	1	0
NtResumeThread Sept. 28, 2021, 1:45 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1612	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
ClamAV	Win.Packed.Generic-9896112-0
FireEye	Generic.mg.7c48019f424bbd08
CAT-QuickHeal	Ransom.Stop.Z5
ALYac	Trojan.GenericKD.47020876
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 00587f171 )
BitDefender	Trojan.GenericKD.47020876
K7GW	Trojan ( 00587f171 )
Cybereason	malicious.f1fd9a
BitDefenderTheta	Gen:NN.ZexaF.34170.Su0@aq0MEFfO
Cyren	W32/Kryptik.FJD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMOS
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Exploit.Win32.Shellcode.gen
Alibaba	Trojan:Win32/Glupteba.3a56ef74
MicroWorld-eScan	Trojan.GenericKD.47020876
Rising	Trojan.Kryptik!1.D9C0 (CLASSIC)
Ad-Aware	Trojan.GenericKD.47020876
Emsisoft	Trojan-Spy.Agent (A)
DrWeb	Trojan.PWS.Stealer.31055
McAfee-GW-Edition	BehavesLike.Win32.Emotet.bc
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Exploit.ShellCode.eot
Avira	TR/AD.MalwareCrypter.hcfyl
MAX	malware (ai score=81)
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Glupteba.QM!MTB
Gridinsoft	Trojan.Win32.Packed.vb
GData	Trojan.GenericKD.47020876
AhnLab-V3	Trojan/Win.MalPE.R442437
Acronis	suspicious
McAfee	Packed-GDT!7C48019F424B
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R03FC0DIR21
Tencent	Malware.Win32.Gencirc.10cf412e
Yandex	Trojan.GenKryptik!VMFuG5CeYcg
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_78%
Fortinet	W32/Kryptik.HMOO!tr
Webroot	W32.Trojan.Gen
AVG	Win32:PWSX-gen [Trj]

build2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All