Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 1, 2021, 11:32 a.m.	Nov. 1, 2021, 11:36 a.m.

Size	578.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f12a2a6e1d8b3c7e2e998e808da6ac3a`
SHA256	`f3d5fa1c93562561de5b75fca1ff06dfaaf276886f409f3130f6da32f92c708d`
CRC32	`7710959D`
ssdeep	`12288:eoPOjkoO9zYFZ6r0rPVOfW+sfAw4We+qis9KvX3unnn:woo8Yr6QZcwiRn`
PDB Path	C:\xuvuyirahavuzo-kes_gupapawiwege.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

rollerkind.exe "C:\Users\test22\AppData\Local\Temp\rollerkind.exe"
1608
- rollerkind.exe "C:\Users\test22\AppData\Local\Temp\rollerkind.exe"
  2088
  - dipster.exe dipster.exe
    3024

Name	Response	Post-Analysis Lookup
thisonecantbebanned.top	A 78.155.222.151	78.155.222.151
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
164.124.101.2	Active	Moloch
78.155.222.151	Active	Moloch
88.99.66.31	Active	Moloch
195.2.93.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 78.155.222.151:80	2008259	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 78.155.222.151:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49171 -> 78.155.222.151:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.103:58465 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 78.155.222.151:80	2008259	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 78.155.222.151:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 78.155.222.151:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 78.155.222.151:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 78.155.222.151:80 -> 192.168.56.103:49172	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 1, 2021, 11:32 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\xuvuyirahavuzo-kes_gupapawiwege.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 11:32 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.giki

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://thisonecantbebanned.top/jollion/lipster.exe
request	GET http://thisonecantbebanned.top/moons/top.exe
request	GET https://iplogger.org/16twf7
request	GET https://iplogger.org/1ggL27

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

thisonecantbebanned.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 1608 region_size: 442368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 1608 region_size: 847872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 3024 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 1, 2021, 11:33 a.m.	process_identifier: 3024 region_size: 233472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\neverlose\ipstersh.exe
file	C:\Users\test22\AppData\Roaming\neverlose\dipster.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\neverlose\ipstersh.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\neverlose\dipster.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007b400', u'virtual_address': u'0x00001000', u'entropy': 7.956033038443628, u'name': u'.text', u'virtual_size': u'0x0007b233'}

entropy

7.95603303844

description

A section with a high entropy has been found

entropy

0.854419410745

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://thisonecantbebanned.top/jollion/lipster.exe
url	https://iplogger.org/16twf7
url	https://iplogger.org/1ggL27
url	http://thisonecantbebanned.top/moons/top.exe

Yara rule detected in process memory (15 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

195.2.93.45

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2088 region_size: 872448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Attempts to identify installed AV products by installation directory (8 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\McAfee
file	C:\ProgramData\Avg
file	C:\ProgramData\Doctor Web
file	C:\ProgramData\Malwarebytes

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 1, 2021, 11:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1608 called NtSetContextThread to modify thread in remote process 2088
NtSetContextThread Nov. 1, 2021, 11:32 a.m.	registers.eip: 2002059716 registers.esp: 1638384 registers.edi: 0 registers.eax: 4795075 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2088	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1608 resumed a thread in remote process 2088
NtResumeThread Nov. 1, 2021, 11:32 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2088	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.f12a2a6e1d8b3c7e
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7GW	Hacktool ( 700007861 )
CrowdStrike	win/malicious_confidence_90% (D)
Cyren	W32/Kryptik.FOQ.gen!Eldorado
Symantec	Packed.Generic.528
APEX	Malicious
Kaspersky	VHO:Backdoor.Win32.Convagent.gen
Sophos	ML/PE-A + Troj/Krypt-BO
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Ikarus	Trojan.Win32.Crypt
eGambit	Unsafe.AI_Score_99%
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.R373480
Acronis	suspicious
VBA32	Malware-Cryptor.2LA.gen
Malwarebytes	Trojan.MalPack
Rising	Malware.Heuristic!ET#92% (RDMK:cmRtazo2usPKGHEWQSfHL7T4az3+)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Cybereason	malicious.b158be

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 1, 2021, 11:32 a.m.	thread_identifier: 2092 thread_handle: 0x0000007c process_identifier: 2088 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rollerkind.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\rollerkind.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\rollerkind.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Nov. 1, 2021, 11:32 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Nov. 1, 2021, 11:32 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2088 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Nov. 1, 2021, 11:32 a.m.	process_identifier: 2088 region_size: 872448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Nov. 1, 2021, 11:32 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2088 process_handle: 0x00000080	1	1
NtSetContextThread Nov. 1, 2021, 11:32 a.m.	registers.eip: 2002059716 registers.esp: 1638384 registers.edi: 0 registers.eax: 4795075 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2088	1	0
NtResumeThread Nov. 1, 2021, 11:32 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Nov. 1, 2021, 11:32 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Nov. 1, 2021, 11:32 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: ipstersh.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 1, 2021, 11:32 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Roaming\neverlose filepath: C:\Users\test22\AppData\Roaming\neverlose\ipstersh.exe track: 0 command_line: "C:\Users\test22\AppData\Roaming\neverlose\ipstersh.exe" filepath_r: C:\Users\test22\AppData\Roaming\neverlose\ipstersh.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW Nov. 1, 2021, 11:32 a.m.	thread_identifier: 2064 thread_handle: 0x00000628 process_identifier: 3024 current_directory: filepath: track: 1 command_line: dipster.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000534	1	1

rollerkind.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All