Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 1, 2021, 9:24 a.m.	Oct. 1, 2021, 9:37 a.m.

Size	3.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c5687cde262a0776027b2f73f1266a79`
SHA256	`a6e7917a28583bd02d4bdd47d512efe0f7f9c81ab365548734ce8de4df6b9ce5`
CRC32	`5A228951`
ssdeep	`49152:caEjcPLmTsMeh4CjfBKT6Pys3SLMBL/vQr75xQGdJNsd3bypQsYYcp:chczmAMeh4CWsv`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) NPKI_Zero - File included NPKI

faba50s4e01t22barcode.exe "C:\Users\test22\AppData\Local\Temp\faba50s4e01t22barcode.exe"
2416
- regsvr32.exe regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll
  2444
- regsvr32.exe regsvr32.exe /s C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll
  1836

Name	Response	Post-Analysis Lookup
www.yellowbo.cn	A 47.96.66.133	47.96.66.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
47.96.66.133	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 1, 2021, 9:24 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.gfids
section	.rc

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.yellowbo.cn/web/xylog.lg?WVQwMU1EQXhNbm9tWXowNVJqVkdOVEUyTjBVME5qQTJPVGczUVRrNFEwVkVPVGRGUVRZeE1USkdOaVprUFRVdU1DNHhMakltWmowNE1DWm5QVFFtYlQwd0ptdzlOVEF4Sm00OU1UVTRPVUU1TTBKQk5qUkJORVEzTWpWQk1VVTVNVUZGTnpZNU9EWkNRMEltYnowPQ==

Performs some HTTP requests (1 event)

request

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727d7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 1, 2021, 9:24 a.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cc1000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161690

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161690

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161690

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161690

size

0x000010a8

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00161690

size

0x000010a8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162738

size

0x0000004c

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162784

size

0x0000047c

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\FastCode\FastCode.exe
file	C:\Users\test22\AppData\Roaming\FastCode\Uninst.exe
file	C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Oct. 1, 2021, 9:24 a.m.	service_start_name: start_type: 2 password: display_name: FastCodeUpdateService filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k FastCode_updatesvc service_name: FastCodeUpdateService filepath_r: %SystemRoot%\System32\svchost.exe -k FastCode_updatesvc desired_access: 983551 service_handle: 0x005adf18 error_control: 0 service_type: 16 service_manager_handle: 0x005adfb8	1	5955352	0

Creates a suspicious process (2 events)

cmdline	regsvr32.exe /s C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll
cmdline	regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\FastCode\Uninst.exe
file	C:\Users\test22\AppData\Roaming\FastCode\FastCode.exe
file	C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (5 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 1, 2021, 9:24 a.m.	snapshot_handle: 0x000000e8 process_name: mobsync.exe process_identifier: 2100	1	1
Process32NextW Oct. 1, 2021, 9:24 a.m.	snapshot_handle: 0x000000e8 process_name: pw.exe process_identifier: 1552	1	1
Process32NextW Oct. 1, 2021, 9:24 a.m.	snapshot_handle: 0x000000e8 process_name: taskhost.exe process_identifier: 2420	1	1
Process32NextW Oct. 1, 2021, 9:24 a.m.	snapshot_handle: 0x000000e8 process_name: sdclt.exe process_identifier: 2412	1	1
Process32NextW Oct. 1, 2021, 9:24 a.m.	snapshot_handle: 0x000000e8 process_name: faba50s4e01t22barcode.exe process_identifier: 2416	1	1

Installs itself for autorun at Windows startup (2 events)

service_name	FastCodeUpdateService				service_path	C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k FastCode_updatesvc
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FastCodeUpdateService\Parameters\ServiceDll				reg_value	C:\Users\test22\AppData\Roaming\FastCode\FastCode_update.dll

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 1, 2021, 9:24 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000108 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl Oct. 1, 2021, 9:24 a.m.	input_buffer: control_code: 2954240 () device_handle: 0x00000108 output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036	1	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Adware.Win32.Burden.2!c
MicroWorld-eScan	Trojan.GenericKD.46992271
FireEye	Trojan.GenericKD.46992271
CAT-QuickHeal	Trojan.Kuaizip
ALYac	Trojan.GenericKD.46992271
Cylance	Unsafe
Zillya	Adware.Burden.Win32.4569
K7AntiVirus	Adware ( 005818041 )
Alibaba	AdWare:Win32/Burden.307acbdc
K7GW	Adware ( 005818041 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/KuaiZip.AG potentially unwanted
APEX	Malicious
Paloalto	generic.ml
Kaspersky	not-a-virus:HEUR:AdWare.Win32.Burden.gen
BitDefender	Trojan.GenericKD.46992271
Avast	Win32:Adware-gen [Adw]
Rising	Adware.Agent!1.CD94 (CLASSIC)
Ad-Aware	Trojan.GenericKD.46992271
Emsisoft	Trojan.GenericKD.46992271 (B)
TrendMicro	TROJ_FRS.VSNW03I21
McAfee-GW-Edition	Artemis!PUP
Sophos	Generic PUA KN (PUA)
Jiangmin	Trojan.Generic.gwtqi
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Generic.ASMalwS.3492BF7
Microsoft	PUA:Win32/KuaiZip
Arcabit	Trojan.Generic.D2CD0B8F
GData	Trojan.GenericKD.46992271
Cynet	Malicious (score: 100)
McAfee	PUP-XQD-HK
VBA32	BScope.Adware.Burden
Malwarebytes	PUP.Optional.ChinAd
TrendMicro-HouseCall	TROJ_FRS.VSNW03I21
Yandex	PUA.Burden!QAKJrxPveHo
Fortinet	Adware/Burden
AVG	Win32:Adware-gen [Adw]
Panda	Trj/CI.A

faba50s4e01t22barcode.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All