Summary | ZeroBOX

Mainsetupv1.0.exe

UPX Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 2, 2021, 10:14 p.m. Nov. 2, 2021, 10:17 p.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5 689b7bfb1424aa69046653e635ecb9ac
SHA256 33b321374349db0323465f27465cabc62472c405e2a45638467e32c174d18082
CRC32 82C25D63
ssdeep 49152:AuUZOlRW++2IqL321m6IxSwdN0ZsCbSq4ijHsBm:AHZOjW+Vt3SiODu/ijM0
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
iBFBxuLonchVeJiTrbJe.iBFBxuLonchVeJiTrbJe
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Set ZHFZ=%userdomain%
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: if %ZHFZ%==DESKTOP-QO5QU33 exit
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: <nul set /p = "MZ" > Chiamando.exe.com
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: findstr /V /R "^BzLWsqaNCEZgiyEyRAWbzRykAXPtraovZkeVpuoOjqhCVDqSKvSTNMNJgmczlgJpvCfWeIVKsokaDDdXXXzGAfIjn$" Attitudine.vstx >> Chiamando.exe.com"
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: copy Lucenti.vstx y
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: start Chiamando.exe.com y
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: ping 127.0.0.1 -n 30
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Pinging 127.0.0.1
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: with 32 bytes of data:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
packer Armadillo v1.71
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c82000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2076
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c82000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c82000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 786432
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x039e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 102400
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03aba000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03abe000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03abf000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

total_number_of_free_bytes: 0
free_bytes_available: 13718249472
root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Chiamando.exe.com
cmdline "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Profonda.vstx
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: C:\Windows\system32\cmd
parameters: /c C:\Windows\system32\cmd < Profonda.vstx
filepath: C:\Windows\System32\cmd
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Steal credential rule local_credential_Steal
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Hijack network configuration rule Hijack_Network
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Escalate priviledges rule Escalate_priviledges
description File Downloader rule Network_Downloader
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
cmdline ping 127.0.0.1 -n 30
file C:\ProgramData\AVAST Software
file C:\ProgramData\AVG
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Process injection Process 2996 resumed a thread in remote process 2076
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000090
suspend_count: 0
process_identifier: 2076
1 0 0
Bkav W32.AIDetect.malware1
Lionic Trojan.Win32.Agent.m!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.36959446
FireEye Generic.mg.689b7bfb1424aa69
McAfee Artemis!689B7BFB1424
Cylance Unsafe
Zillya Backdoor.Agent.Win32.79794
Sangfor Backdoor.Win32.Agent.myuaxu
K7AntiVirus Trojan ( 0057c6fb1 )
Alibaba Backdoor:Win32/7Drop.dc8e3475
K7GW Trojan ( 0057c6fb1 )
Cyren W32/Trojan.YJRA-5574
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.7zip.AL suspicious
APEX Malicious
Avast Script:SNH-gen [Trj]
ClamAV Win.Malware.Crypzip-9880310-0
Kaspersky Backdoor.Win32.Agent.myuaxu
BitDefender Trojan.GenericKD.36959446
Ad-Aware Trojan.GenericKD.36959446
Sophos Troj/Agent-BGQN
Comodo ApplicUnwnt@#2dbe8bvu70bzl
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06BC0WEI21
McAfee-GW-Edition BehavesLike.Win32.Generic.tc
Emsisoft Trojan.GenericKD.36959446 (B)
Paloalto generic.ml
Jiangmin Trojan.Fsysna.joy
Webroot W32.Malware.Gen
Avira BDS/Agent.yfpto
MAX malware (ai score=81)
Antiy-AVL Trojan/Generic.ASMalwS.32AC78A
Kingsoft Win32.Hack.Agent.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.A!ml
Gridinsoft Trojan.Win32.Packed.oa
GData Win32.Trojan.BSE.S11PG3
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.R425135
ALYac Trojan.GenericKD.36959446
VBA32 Backdoor.Agent
Malwarebytes Trojan.Dropper.Generic
TrendMicro-HouseCall TROJ_GEN.R06BC0WEI21
Tencent Malware.Win32.Gencirc.10ce58d0
Yandex Backdoor.Agent!q1VL37ik7x4
Fortinet Riskware/Agent
MaxSecure Trojan.Malware.117977742.susgen
AVG Script:SNH-gen [Trj]
Panda Trj/Agent.ALS
CrowdStrike win/malicious_confidence_100% (W)