Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 15, 2021, 5:59 p.m.	Oct. 15, 2021, 6:03 p.m.

Size	733.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1f67cc3aee307cde9e5102d372f9b87e`
SHA256	`8618bf549fe77b12325caeac35e24857145cba568d740c191a5850e2cc2c3960`
CRC32	`48EA5EF0`
ssdeep	`12288:8qzcpVgUXzL0TTUKZHTNloEkOpnKgofuIwV6eAj0wZxxXMcEe/3paPcgrX:8qzcpKIL0TvZzNlNky0wVW0wZxxVgrX`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library

babay.exe "C:\Users\test22\AppData\Local\Temp\babay.exe"
1040

Name	Response	Post-Analysis Lookup
deli.mywire.org	A 176.216.222.110	176.216.222.110

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch
176.216.222.110	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 15, 2021, 5:59 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74042000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

babay.exe tried to sleep 273 seconds, actually delayed analysis time by 273 seconds

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 15, 2021, 5:59 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 15, 2021, 5:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 15, 2021, 5:59 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

125.253.92.50

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 15, 2021, 5:59 p.m.	thread_identifier: 0 callback_function: 0x001e7464 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	262373	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

176.216.222.110:20000

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Trojan.WebPick.8684
MicroWorld-eScan	Gen:Variant.Zusy.361706
FireEye	Generic.mg.1f67cc3aee307cde
CAT-QuickHeal	Backdoor.Dodiw.A5
McAfee	BackDoor-FCXS!1F67CC3AEE30
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.560290
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_80% (D)
BitDefenderTheta	Gen:NN.ZexaF.34218.TuW@aifT5qbi
Cyren	W32/S-ad8de17d!Eldorado
ESET-NOD32	Win32/Spy.Agent.OSD
APEX	Malicious
ClamAV	Win.Trojan.Agent-1323921
Kaspersky	Trojan.Win32.Fsysna.cewh
BitDefender	Gen:Variant.Zusy.361706
NANO-Antivirus	Trojan.Win32.Dodiw.duviir
SUPERAntiSpyware	Ransom.Cradle/Variant
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10b147b4
Ad-Aware	Gen:Variant.Zusy.361706
TACHYON	Trojan/W32.Fsysna.750592
Emsisoft	Gen:Variant.Zusy.361706 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	BKDR_DODIW.SM
McAfee-GW-Edition	BehavesLike.Win32.BrowseFox.bh
Sophos	Troj/Agent-BAGZ
Ikarus	Backdoor.Win32.Dodiw
Jiangmin	Trojan/Generic.bhnec
Webroot	W32.Trojan.Gen
Avira	TR/AD.BabylonRAT.uqiib
Antiy-AVL	Trojan/Generic.ASMalwS.131BB0E
Microsoft	Backdoor:Win32/Dodiw.A
ViRobot	Trojan.Win32.Agent.794624.L
ZoneAlarm	Trojan.Win32.Fsysna.cewh
GData	Gen:Variant.Zusy.361706
Cynet	Malicious (score: 99)
AhnLab-V3	Backdoor/Win32.Dodiw.R197218
VBA32	Trojan.Fsysna
ALYac	Gen:Variant.Zusy.361706
MAX	malware (ai score=85)
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	BKDR_DODIW.SM
Rising	Spyware.Agent!1.AD22 (CLASSIC)
Yandex	Trojan.GenAsa!qQ7637zty1s
SentinelOne	Static AI - Malicious PE

babay.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All