Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 22, 2022, 8:25 p.m.	May 22, 2022, 8:32 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a6ba70f75f6fab4748bffe1784e7e8ff`
SHA256	`0ae6223a947654283ddaad72ab64c82c6a4dbd3e7fb367a4914e6acc01785e78`
CRC32	`5D1F91FB`
ssdeep	`24576:dS7ukH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxYP:dmHZ5MMpoJOp+MIVai7Tq24GjdGSP`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\ItsMe.zip"
2508

Name	Response	Post-Analysis Lookup
soapbeginshops.com	A 34.118.86.4	34.118.86.4

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.118.86.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 34.118.86.4:80 -> 192.168.56.103:49161	2035026	ET HUNTING SUSPICIOUS .LNK File Inside of Zip	Unknown Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 22, 2022, 8:25 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 22, 2022, 8:25 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://soapbeginshops.com/ItsMe.zip

Creates a shortcut to an executable file (1 event)

file

C:\.lnk

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF22F.tmp

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00153600', u'virtual_address': u'0x00002000', u'entropy': 7.927291011792242, u'name': u'.text', u'virtual_size': u'0x001535e4'}

entropy

7.92729101179

description

A section with a high entropy has been found

entropy

0.998528870908

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 22, 2022, 8:25 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 1392640, u'yara': [{u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'RW52aXJvbm1lbnQ=', u'U3lzdGVtLk5ldA==', u'djQuMC4zMDMxOQ=='], u'meta': {u'date': u'2021-04-27', u'description': u'Win Backdoor AsyncRAT', u'author': u'r0d'}, u'name': u'Win_Backdoor_AsyncRAT_Zero', u'offsets': {u's2': [[1344562L, 1], [1347627L, 1], [1348321L, 1]], u'o1': [[1312284L, 2]], u's4': [[1348744L, 0]]}}, {u'strings': [u'Lk5FVCBGcmFtZXdvcms=', u'MAAwADAAMAAwADQAYgAwAA==', u'R2V0RW51bWVyYXRvcg==', u'R2V0VHlwZUZyb21IYW5kbGU=', u'VGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRl', u'X0NvckV4ZU1haW4=', u'Z2V0X0N1cnJlbnQ='], u'meta': {u'date': u'2020-11-10', u'description': u'Win32 Trojan PWS .NET Azorult', u'author': u'r0d'}, u'name': u'Win32_Trojan_PWS_Net_1_Zero', u'offsets': {u's3': [[1334389L, 6], [1342504L, 6], [1349023L, 6], [1349101L, 6], [1349144L, 6]], u's2': [[1335905L, 3]], u's1': [[1337030L, 4]], u's6': [[1387456L, 0]], u's5': [[1390530L, 5]], u's4': [[1346162L, 2], [1346242L, 2], [1346287L, 2]], u'e1': [[1390954L, 1]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'Is_DotNET_EXE', u'offsets': {}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}], u'sha1': u'954152dabcfebfd04143c97eb814ffdcf9f622da', u'name': u'22d656a93589f45d_readme.exe', u'filepath': u'C:\\Users\\test22\\Desktop\\readme.exe', u'sha512': u'6281739cce2da2ddafcc2167d9f56067ee2650411d17fb30765afec33bf052e7ddc3bca62fd7328e694a0f7c0c1f316ecdade1e07f15296a185b972acc81b030', u'urls': [], u'crc32': u'DA97DED1', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/26940/files/22d656a93589f45d_readme.exe', u'ssdeep': u'24576:dS7ukH+O5MMsj/8oJ0HOgwzMIdEyaXC772Q9NXw2/wPOjdGxYv:dmHZ5MMpoJOp+MIVai7Tq24GjdGSv', u'sha256': u'22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3', u'type': u'PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows', u'pids': [2344], u'md5': u'a5cb23b8b71b2eec6cf53c89a166d1ca', u'virustotal': {u'scan_id': u'22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3-1653175301', u'sha1': u'954152dabcfebfd04143c97eb814ffdcf9f622da', u'resource': u'a5cb23b8b71b2eec6cf53c89a166d1ca', u'verbose_msg': u'Scan finished, information embedded', u'response_code': 1, u'scan_date': u'2022-05-21 23:21:41', u'permalink': u'https://www.virustotal.com/gui/file/22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3/detection/f-22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3-1653175301', u'summary': {u'positives': 33, u'permalink': u'https://www.virustotal.com/gui/file/22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3/detection/f-22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3-1653175301', u'scan_date': u'2022-05-21 23:21:41'}, u'total': 68, u'positives': 33, u'sha256': u'22d656a93589f45df7c71039fe808541105dc6927bca733933b67fa4843863f3', u'md5': u'a5cb23b8b71b2eec6cf53c89a166d1ca', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9899', u'result': u'W32.AIDetectNet.01', u'update': u'20220521'}, u'Lionic': {u'detected': False, u'version': u'7.5', u'result': None, u'update': u'20220521'}, u'Elastic': {u'detected': True, u'version': u'4.0.37', u'result': u'malicious (high confidence)', u'update': u'20220520'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.409.0', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'CMC': {u'detected': False, u'version': u'2.10.2019.1', u'result': None, u'update': u'20211026'}, u'CAT-QuickHeal': {u'detected': False, u'version': u'14.00', u'result': None, u'update': u'20220521'}, u'ALYac': {u'detected': True, u'version': u'1.1.3.1', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'Cylance': {u'detected': False, u'version': u'2.3.1.101', u'result': None, u'update': u'20220521'}, u'Sangfor': {u'detected': True, u'version': u'2.14.0.0', u'result': u'Trojan.Win32.Save.a', u'update': u'20220520'}, u'K7AntiVirus': {u'detected': True, u'version': u'12.13.42430', u'result': u'Riskware ( 00584baa1 )', u'update': u'20220521'}, u'Alibaba': {u'detected': False, u'version': u'0.3.0.5', u'result': None, u'update': u'20190527'}, u'K7GW': {u'detected': True, u'version': u'12.13.42432', u'result': u'Riskware ( 00584baa1 )', u'update': u'20220521'}, u'Cybereason': {u'detected': True, u'version': u'1.2.449', u'result': u'malicious.abcfeb', u'update': u'20210330'}, u'Baidu': {u'detected': False, u'version': u'1.0.0.2', u'result': None, u'update': u'20190318'}, u'VirIT': {u'detected': False, u'version': u'9.5.200', u'result': None, u'update': u'20220520'}, u'Cyren': {u'detected': True, u'version': u'6.5.1.2', u'result': u'W32/MSIL_Kryptik.HAJ.gen!Eldorado', u'update': u'20220521'}, u'Symantec': {u'detected': True, u'version': u'1.17.0.0', u'result': u'ML.Attribute.HighConfidence', u'update': u'20220521'}, u'tehtris': {u'detected': False, u'version': u'v0.1.2', u'result': None, u'update': u'20220521'}, u'ESET-NOD32': {u'detected': True, u'version': u'25307', u'result': u'a variant of MSIL/Kryptik.AFCT', u'update': u'20220521'}, u'APEX': {u'detected': True, u'version': u'6.293', u'result': u'Malicious', u'update': u'20220519'}, u'Paloalto': {u'detected': False, u'version': u'0.9.0.1003', u'result': None, u'update': u'20220521'}, u'ClamAV': {u'detected': False, u'version': u'0.105.0.0', u'result': None, u'update': u'20220521'}, u'Kaspersky': {u'detected': True, u'version': u'21.0.1.45', u'result': u'HEUR:Trojan-PSW.MSIL.Stealer.gen', u'update': u'20220521'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'NANO-Antivirus': {u'detected': False, u'version': u'1.0.146.25588', u'result': None, u'update': u'20220521'}, u'SUPERAntiSpyware': {u'detected': False, u'version': u'5.6.0.1032', u'result': None, u'update': u'20220521'}, u'Avast': {u'detected': True, u'version': u'21.1.5827.0', u'result': u'Win32:RATX-gen [Trj]', u'update': u'20220521'}, u'Rising': {u'detected': False, u'version': u'25.0.0.27', u'result': None, u'update': u'20220521'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.21.193', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'Emsisoft': {u'detected': True, u'version': u'2021.5.0.7597', u'result': u'IL:Trojan.MSILMamut.672 (B)', u'update': u'20220521'}, u'Comodo': {u'detected': False, u'version': u'34641', u'result': None, u'update': u'20220521'}, u'F-Secure': {u'detected': False, u'version': u'18.10.978.51', u'result': None, u'update': u'20220521'}, u'DrWeb': {u'detected': False, u'version': u'7.0.56.4040', u'result': None, u'update': u'20220521'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.4635', u'result': None, u'update': u'20220519'}, u'TrendMicro': {u'detected': False, u'version': u'11.0.0.1006', u'result': None, u'update': u'20220521'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2019.1.2+3728', u'result': u'BehavesLike.Win32.Fareit.tc', u'update': u'20220521'}, u'FireEye': {u'detected': True, u'version': u'35.24.1.0', u'result': u'Generic.mg.a5cb23b8b71b2eec', u'update': u'20220521'}, u'Sophos': {u'detected': True, u'version': u'1.4.1.0', u'result': u'Mal/MSIL-UV', u'update': u'20220521'}, u'SentinelOne': {u'detected': True, u'version': u'22.2.1.2', u'result': u'Static AI - Malicious PE', u'update': u'20220330'}, u'Jiangmin': {u'detected': False, u'version': u'16.0.100', u'result': None, u'update': u'20220520'}, u'Webroot': {u'detected': False, u'version': u'1.0.0.403', u'result': None, u'update': u'20220521'}, u'Avira': {u'detected': False, u'version': u'8.3.3.14', u'result': None, u'update': u'20220521'}, u'MAX': {u'detected': True, u'version': u'2019.9.16.1', u'result': u'malware (ai score=84)', u'update': u'20220521'}, u'Kingsoft': {u'detected': False, u'version': u'2017.9.26.565', u'result': None, u'update': u'20220521'}, u'Microsoft': {u'detected': True, u'version': u'1.1.19200.6', u'result': u'Trojan:MSIL/AgentTesla.DA!MTB', u'update': u'20220521'}, u'Gridinsoft': {u'detected': False, u'version': u'1.0.78.174', u'result': None, u'update': u'20220521'}, u'Arcabit': {u'detected': True, u'version': u'1.0.0.889', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20220521'}, u'ZoneAlarm': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20220521'}, u'GData': {u'detected': True, u'version': u'A:25.33085B:27.27436', u'result': u'IL:Trojan.MSILMamut.672', u'update': u'20220521'}, u'Cynet': {u'detected': True, u'version': u'4.0.0.27', u'result': u'Malicious (score: 100)', u'update': u'20220521'}, u'AhnLab-V3': {u'detected': True, u'version': u'3.21.3.10230', u'result': u'Trojan/Win.Generic.C5057160', u'update': u'20220521'}, u'Acronis': {u'detected': False, u'version': u'1.2.0.108', u'result': None, u'update': u'20220426'}, u'McAfee': {u'detected': False, u'version': u'6.0.6.653', u'result': None, u'update': u'20220521'}, u'TACHYON': {u'detected': False, u'version': u'2022-05-21.02', u'result': None, u'update': u'20220521'}, u'VBA32': {u'detected': False, u'version': u'5.0.0', u'result': None, u'update': u'20220520'}, u'Malwarebytes': {u'detected': True, u'version': u'4.3.3.37', u'result': u'Trojan.Dropper', u'update': u'20220521'}, u'Zoner': {u'detected': False, u'version': u'2.2.2.0', u'result': None, u'update': u'20220521'}, u'TrendMicro-HouseCall': {u'detected': False, u'version': u'10.0.0.1040', u'result': None, u'update': u'20220521'}, u'Tencent': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20220521'}, u'Yandex': {u'detected': False, u'version': u'5.5.2.24', u'result': None, u'update': u'20220428'}, u'Ikarus': {u'detected': True, u'version': u'6.0.24.0', u'result': u'Trojan.MSIL.ClipBanker', u'update': u'20220521'}, u'MaxSecure': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Trojan.Malware.300983.susgen', u'update': u'20220521'}, u'Fortinet': {u'detected': False, u'version': u'6.2.142.0', u'result': None, u'update': u'20220521'}, u'BitDefenderTheta': {u'detected': True, u'version': u'7.2.37796.0', u'result': u'Gen:NN.ZemsilF.34682.vn0@aec@B5l', u'update': u'20220518'}, u'AVG': {u'detected': True, u'version': u'21.1.5827.0', u'result': u'Win32:RATX-gen [Trj]', u'update': u'20220521'}, u'Panda': {u'detected': False, u'version': u'4.6.4.2', u'result': None, u'update': u'20220521'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'win/malicious_confidence_60% (D)', u'update': u'20220418'}}}}

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	IL:Trojan.MSILMamut.672
ALYac	IL:Trojan.MSILMamut.672
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.9239b3
Cyren	W32/MSIL_Kryptik.HAJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AFCT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender	IL:Trojan.MSILMamut.672
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-qqpass.Qqrob.Lnxy
Ad-Aware	IL:Trojan.MSILMamut.672
Sophos	Mal/MSIL-UV
McAfee-GW-Edition	BehavesLike.Win32.Fareit.tc
FireEye	Generic.mg.a6ba70f75f6fab47
Emsisoft	IL:Trojan.MSILMamut.672 (B)
SentinelOne	Static AI - Malicious PE
Microsoft	Trojan:Script/Phonzy.C!ml
GData	IL:Trojan.MSILMamut.672
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C5057160
McAfee	Artemis!A6BA70F75F6F
MAX	malware (ai score=87)
Malwarebytes	Trojan.Dropper
Ikarus	Trojan.MSIL.ClipBanker
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilF.34682.vn0@aec@B5l
AVG	Win32:RATX-gen [Trj]
CrowdStrike	win/malicious_confidence_60% (D)

kingz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All