Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 29, 2021, 8:17 a.m.	Sept. 29, 2021, 8:19 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`03adc7bd4c01b446223c463e7c8240cc`
SHA256	`715e1eb5414e749e16fb3999dda7bcf8405e6fb4e14e66ddcbdf20a2e1af89c3`
CRC32	`CCFABD45`
ssdeep	`49152:eM0q2RjHRmDdF3ny8eKgNW87dOZQkC4NN+nRF8g7/OnS:aq2jmhFy8eKgNd7dOlC4NknRZGnS`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
hashlegion.duia.eu

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 29, 2021, 8:17 a.m.		1	1	0

section

.ndata

file	C:\Users\test22\AppData\Local\Temp\nsq6471.tmp\nsProcess.dll
file	C:\Users\test22\AppData\Local\Temp\nsq6471.tmp\nsExec.dll
file	C:\Windows\winspl.exe

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Sept. 29, 2021, 8:17 a.m.	service_start_name: start_type: 2 password: display_name: WinService filepath: C:\Windows\winspl.exe service_name: WinService filepath_r: C:\Windows\winspl.exe desired_access: 983551 service_handle: 0x0056bc38 error_control: 1 service_type: 16 service_manager_handle: 0x0056bcd8	1	5684280	0

cmdline	C:\Windows\system32\cmd.exe /C Sc create WinService binpath= C:\Windows\winspl.exe start= auto DisplayName= WinService
cmdline	C:\Windows\system32\cmd.exe /C sc description WinService ServiceManagerForWin
cmdline	C:\Windows\system32\cmd.exe /C net start WinService
cmdline	C:\Windows\system32\cmd.exe /C Sc delete WinService
cmdline	C:\Windows\system32\cmd.exe /C net stop WinService

file	C:\Users\test22\AppData\Local\Temp\nsq6471.tmp\nsExec.dll
file	C:\Users\test22\AppData\Local\Temp\nsq6471.tmp\nsProcess.dll

cmdline	C:\Windows\system32\cmd.exe /C Sc create WinService binpath= C:\Windows\winspl.exe start= auto DisplayName= WinService
cmdline	C:\Windows\system32\cmd.exe /C sc description WinService ServiceManagerForWin
cmdline	Sc delete WinService
cmdline	net stop WinService
cmdline	C:\Windows\system32\cmd.exe /C net start WinService
cmdline	net start WinService
cmdline	sc description WinService ServiceManagerForWin
cmdline	C:\Windows\system32\cmd.exe /C Sc delete WinService
cmdline	C:\Windows\system32\cmd.exe /C net stop WinService
cmdline	Sc create WinService binpath= C:\Windows\winspl.exe start= auto DisplayName= WinService

service_name

WinService

service_path

C:\Windows\winspl.exe

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.47037706
FireEye	Generic.mg.03adc7bd4c01b446
CAT-QuickHeal	Trojan.Generic
ALYac	Trojan.GenericKD.47037706
Cylance	Unsafe
K7AntiVirus	Trojan-Downloader ( 0050e5cf1 )
Alibaba	Trojan:Win32/CryptInject.acd55940
K7GW	Trojan-Downloader ( 0050e5cf1 )
CrowdStrike	win/malicious_confidence_60% (W)
BitDefenderTheta	Gen:NN.ZelphiF.34170.@V0@a8tnKGei
Cyren	W32/Trojan.UCOR-0492
Symantec	Trojan Horse
ESET-NOD32	a variant of Win32/Delf.BBD
APEX	Malicious
ClamAV	Win.Malware.Zusy-9896261-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.47037706
Avast	NSIS:MalwareX-gen [Trj]
Tencent	Win32.Trojan.Generic.Eyn
Ad-Aware	Trojan.GenericKD.47037706
Sophos	Mal/Generic-S
Comodo	Malware@#2eg14c62gc0gc
McAfee-GW-Edition	BehavesLike.Win32.ICLoader.vc
Emsisoft	Trojan.GenericKD.47037706 (B)
SentinelOne	Static AI - Malicious PE
Avira	HEUR/AGEN.1138164
MAX	malware (ai score=88)
Gridinsoft	Trojan.Win32.CoinMiner.oa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Trojan.GenericKD.47037706
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Fuery.R202739
McAfee	Artemis!03ADC7BD4C01
VBA32	Trojan.Sabsik.TE
Malwarebytes	Malware.AI.4216912352
TrendMicro-HouseCall	TROJ_GEN.R002C0DIM21
Rising	Trojan.CoinMiner/NSIS!1.D88C (CLASSIC)
Yandex	Trojan.Delf!r9h+bLLk67g
Ikarus	Trojan.Delf.CoinMiner
Fortinet	W32/Delf.BBD!tr
Webroot	W32.Malware.Gen
AVG	NSIS:MalwareX-gen [Trj]
Cybereason	malicious.d4c01b

b.exe