Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 19, 2022, 9:39 a.m.	Nov. 19, 2022, 9:44 a.m.

Size	381.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`501c0b729f6ee275a7108f1a1f1396a2`
SHA256	`3206681fc7e7974569ebe9f97d513de0aa4e21b8e657523ec411b296b7a20b70`
CRC32	`D8DCBA45`
ssdeep	`6144:x/QiQXCkkm+ksmpk3U9j0I5dOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3kP6m6UR0I5dlL//plmW9bTXeVhD4`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Bolt2.exe "C:\Users\test22\AppData\Local\Temp\Bolt2.exe"
2552
- Bolt2.tmp "C:\Users\test22\AppData\Local\Temp\is-NJCLH.tmp\Bolt2.tmp" /SL5="$70178,140559,56832,C:\Users\test22\AppData\Local\Temp\Bolt2.exe"
  2604
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1
nova-brothers.s3.pl-waw.scw.cloud	A 151.115.10.1 CNAME s3.pl-waw.scw.cloud	151.115.10.1

IP Address	Status	Action
151.115.10.1	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 151.115.10.1:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 151.115.10.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 151.115.10.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 151.115.10.1:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 151.115.10.1:443 -> 192.168.56.101:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 151.115.10.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 151.115.10.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 19, 2022, 9:39 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 19, 2022, 9:39 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 19, 2022, 9:39 a.m.	stacktrace: bolt2+0x816a8 @ 0x4816a8 bolt2+0x99c13 @ 0x499c13 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1637924 registers.edi: 4523332 registers.eax: 1637924 registers.ebp: 1638004 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

Performs some HTTP requests (2 events)

request	HEAD http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe
request	GET http://160dd0af-5534-4369-972f-5aa0f99c9324.s3.pl-waw.scw.cloud/workflow/poweroff-1mo67u5vspq3.exe

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2604 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 19, 2022, 9:39 a.m.	process_identifier: 2604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 19, 2022, 9:41 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-H15BU.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-H15BU.tmp\idp.dll

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Local\Temp\is-H15BU.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-H15BU.tmp\idp.dll
file	C:\Users\test22\AppData\Local\Temp\is-NJCLH.tmp\Bolt2.tmp

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-NJCLH.tmp\Bolt2.tmp

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader44.21184
MicroWorld-eScan	Trojan.GenericKD.63533652
FireEye	Trojan.GenericKD.63533652
CAT-QuickHeal	Backdoor.Manuscrypt
McAfee	Artemis!501C0B729F6E
Cylance	Unsafe
VIPRE	Trojan.GenericKD.63533652
Sangfor	Backdoor.Win32.Manuscrypt.Vv7m
K7AntiVirus	Trojan-Downloader ( 00599e201 )
Alibaba	Backdoor:Win32/Manuscrypt.9f82f9aa
K7GW	Trojan-Downloader ( 00599e201 )
Cybereason	malicious.05450e
Arcabit	Trojan.Generic.D3C97254
Cyren	W32/ABRisk.KMBD-4947
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Adload.NVT
APEX	Malicious
Kaspersky	Backdoor.Win32.Manuscrypt.bs
BitDefender	Trojan.GenericKD.63533652
SUPERAntiSpyware	Backdoor.Manuscrypt/Variant
Avast	Other:Malware-gen [Trj]
Tencent	Win32.Backdoor.Manuscrypt.Adhl
Ad-Aware	Trojan.GenericKD.63533652
Sophos	Generic ML PUA (PUA)
F-Secure	Heuristic.HEUR/AGEN.1233171
TrendMicro	Trojan.Win32.PRIVATELOADER.YXCKSZ
McAfee-GW-Edition	BehavesLike.Win32.AdwareFileTour.fc
Emsisoft	Trojan.GenericKD.63533652 (B)
Ikarus	Trojan-Downloader.Win32.Adload
Webroot	W32.Malware.Gen
Google	Detected
Avira	HEUR/AGEN.1233171
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Backdoor:Win32/Manuscrypt!MTB
ViRobot	Trojan.Win32.Z.Manuscrypt.390117
ZoneAlarm	Backdoor.Win32.Manuscrypt.bs
GData	Trojan.GenericKD.63533652
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win32.Generic.C4341768
ALYac	Trojan.GenericKD.63533652
MAX	malware (ai score=87)
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0DKC22
Fortinet	W32/PossibleThreat
AVG	Other:Malware-gen [Trj]

Bolt2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All