Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 29, 2021, 10:31 a.m.	Sept. 29, 2021, 10:34 a.m.

Size	9.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5730f17fceb0f2fdd132677517c03ff0`
SHA256	`78751dd14a37b8dd074c9dc6e8fa18693e41ac2d663652e76616188d1f5131dc`
CRC32	`25FF7524`
ssdeep	`196608:26xqZc05LWdl1Z+UwN6E3wmnymNk+tacjMcqY55s/ck:/qZc0mvZ+ScorY55s/ck`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

hexacyanide.exe "C:\Users\test22\AppData\Local\Temp\hexacyanide.exe"
1116
- hexacyanide.tmp "C:\Users\test22\AppData\Local\Temp\is-VPV2R.tmp\hexacyanide.tmp" /SL5="$F0164,8975360,831488,C:\Users\test22\AppData\Local\Temp\hexacyanide.exe"
  2384
  - hexacyanide.exe "C:\Users\test22\AppData\Local\Temp\hexacyanide.exe" /VERYSILENT
    2084
    - hexacyanide.tmp "C:\Users\test22\AppData\Local\Temp\is-P4A35.tmp\hexacyanide.tmp" /SL5="$100164,8975360,831488,C:\Users\test22\AppData\Local\Temp\hexacyanide.exe" /VERYSILENT
      1976
      - unitylocation.exe "C:\Users\test22\AppData\Roaming\Unity Service Location\unitylocation.exe"
        1512
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.215.113.102	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.102:1234 -> 192.168.56.101:49208	2400024	ET DROP Spamhaus DROP Listed Traffic Inbound group 25	Misc Attack
TCP 192.168.56.101:49208 -> 185.215.113.102:1234	906200098	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT)	undefined
TCP 185.215.113.102:1234 -> 192.168.56.101:49208	2030724	ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49208 185.215.113.102:1234	CN=BitRAT	CN=BitRAT	d9:f0:9e:18:ae:dd:c3:ed:5c:0a:5d:1c:8b:cb:b1:31:af:34:cf:0f

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 29, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 29, 2021, 10:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 29, 2021, 10:31 a.m.			0	0
IsDebuggerPresent Sept. 29, 2021, 10:31 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 29, 2021, 10:32 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 29, 2021, 10:31 a.m.	stacktrace: TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 hexacyanide+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 hexacyanide+0x2b198e @ 0x6b198e TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 hexacyanide+0x2c476c @ 0x6c476c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1637804 registers.edi: 0 registers.eax: 1637804 registers.ebp: 1637884 registers.edx: 0 registers.ebx: 3 registers.esi: 2 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 29, 2021, 10:31 a.m.

stacktrace:

TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 hexacyanide+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x1fbb2e dbkFCallWrapperAddr-0x20cb2 hexacyanide+0x2b198e @ 0x6b198e
TMethodImplementationIntercept+0x20e90c dbkFCallWrapperAddr-0xded4 hexacyanide+0x2c476c @ 0x6c476c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1637804
registers.edi: 0
registers.eax: 1637804
registers.ebp: 1637884
registers.edx: 0
registers.ebx: 3
registers.esi: 2
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2384 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 745472 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 73728 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 29, 2021, 10:31 a.m.	process_identifier: 1976 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 29, 2021, 10:32 a.m.	process_identifier: 1512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728e2000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

unitylocation.exe tried to sleep 346 seconds, actually delayed analysis time by 346 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 29, 2021, 10:25 a.m.	total_number_of_free_bytes: 13694439424 free_bytes_available: 13694439424 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unity Service Location\Unity Service Location.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk

Creates a shortcut to an executable file (16 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴오피스 한글 2010.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unity Service Location\Unity Service Location.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unity Service Location\Unity Service Location.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-VPV2R.tmp\hexacyanide.tmp

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Lionic	Trojan.Win32.Solmyr.l!c
APEX	Malicious
Kaspersky	Trojan-Spy.Win32.Solmyr.qq
Avast	FileRepMalware
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	MSIL.Backdoor.AMRat.IU5H9P
AVG	FileRepMalware

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 29, 2021, 10:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 29, 2021, 10:32 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Queries for potentially installed applications (1 event)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Sept. 29, 2021, 10:31 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{5BC0137E-0E75-42CF-9769-E1F413555014}_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5BC0137E-0E75-42CF-9769-E1F413555014}_is1		2	0

Communicates with host for which no DNS query was performed (1 event)

host

185.215.113.102

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 29, 2021, 10:32 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netoptimize.lnk

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-P4A35.tmp\hexacyanide.tmp

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 29, 2021, 10:32 a.m.	thread_identifier: 0 callback_function: 0x004cf84a hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00000000	1	2949229	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Sept. 29, 2021, 10:32 a.m.	thread_identifier: 0 callback_function: 0x0048a8cc hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	9831235	0

hexacyanide.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All