Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 8, 2022, 5:58 p.m.	Dec. 8, 2022, 6:02 p.m.

Size	471.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f56c8317f668ed043779b95bef8c849e`
SHA256	`11b46637f618cfe5000dea3ebb0d2e0bc5bde585815b670a43f1e9259e4f9941`
CRC32	`DEE8B73C`
ssdeep	`6144:VFVQzyO8Lg47VUb8s/OhV/sFndp9L8kW+al1Oy3HHyigokPMk:VIyXE47VUos/OsFdW17HHyzo`
PDB Path	C:\kakarexoci\lohakazisepib10\nicupadefeciv.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
2552
- build2.exe "C:\Users\test22\AppData\Local\Temp\build2.exe"
  2648

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.42.123.237	184.31.35.111

IP Address	Status	Action
142.132.236.84	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
23.42.123.237	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 23.42.123.237:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 142.132.236.84:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49168 23.42.123.237:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Washington, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	eb:03:15:e9:08:7d:12:ff:50:d3:74:ee:4a:87:15:c1:03:e9:c9:e3

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA Dec. 8, 2022, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 8, 2022, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 8, 2022, 5:58 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 8, 2022, 5:58 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\kakarexoci\lohakazisepib10\nicupadefeciv.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 8, 2022, 5:58 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.legel

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	AFX_DIALOG_LAYOUT
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://142.132.236.84/517
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://142.132.236.84/update.zip

Performs some HTTP requests (3 events)

request	GET http://142.132.236.84/517
request	GET http://142.132.236.84/update.zip
request	GET https://steamcommunity.com/profiles/76561199441933804

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 8, 2022, 5:58 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ca000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 5:58 p.m.	process_identifier: 2552 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 5:58 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 8, 2022, 5:59 p.m.	process_identifier: 2648 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x60900000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\msvcp140.dll
file	C:\ProgramData\nss3.dll
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://t.me/dishasta
url	https://steamcommunity.com/profiles/76561199441933804
url	http://167.235.150.8:80

Yara rule detected in process memory (10 events)

description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Checks for the presence of known debug tools	rule	anti_dbgtools
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

142.132.236.84

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 8, 2022, 5:58 p.m.	process_identifier: 2648 region_size: 389120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 8, 2022, 5:58 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x00000080	1	1	0

Network activity contains more than one unique useragent (2 events)

process	build2.exe				useragent	Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
process	build2.exe				useragent

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 called NtSetContextThread to modify thread in remote process 2648
NtSetContextThread Dec. 8, 2022, 5:58 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4339084 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2648	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://167.235.150.8:80

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2648
NtResumeThread Dec. 8, 2022, 5:58 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2648	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 8, 2022, 5:58 p.m.	thread_identifier: 2652 thread_handle: 0x0000007c process_identifier: 2648 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\build2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\build2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\build2.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Dec. 8, 2022, 5:58 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Dec. 8, 2022, 5:58 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2648 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Dec. 8, 2022, 5:58 p.m.	process_identifier: 2648 region_size: 389120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Dec. 8, 2022, 5:58 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2648 process_handle: 0x00000080	1	1
NtSetContextThread Dec. 8, 2022, 5:58 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4339084 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2648	1	0
NtResumeThread Dec. 8, 2022, 5:58 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2648	1	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.64076658
FireEye	Generic.mg.f56c8317f668ed04
McAfee	RDN/PWS-Banker
Cylance	Unsafe
VIPRE	Trojan.GenericKD.64076658
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00516fdf1 )
K7GW	Trojan ( 00516fdf1 )
Arcabit	Trojan.Generic.D3D1BB72
Cyren	W32/Kryptik.IFK.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HRVT
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Trojan-Banker.Win32.Bandra.gen
BitDefender	Trojan.GenericKD.64076658
Avast	Win32:BotX-gen [Trj]
Tencent	Win32.Trojan-Banker.Bandra.Hjgl
Ad-Aware	Trojan.GenericKD.64076658
Emsisoft	Trojan.GenericKD.64076658 (B)
TrendMicro	TrojanSpy.Win32.VIDAR.YXCLGZ
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.gh
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A + Troj/Krypt-SY
SentinelOne	Static AI - Suspicious PE
Jiangmin	TrojanDownloader.Deyma.ann
Webroot	W32.Adware.Gen
Avira	TR/Crypt.Agent.pqasj
Antiy-AVL	Trojan[Ransom]/Win32.StopCrypt
Kingsoft	malware.kb.a.(kcloud)
Gridinsoft	Spy.Win32.Vidar.bot
Microsoft	Trojan:Win32/SmokeLoader.HGK!MTB
ViRobot	Trojan.Win32.LockBit.427520
GData	Trojan.GenericKD.64076658
Google	Detected
AhnLab-V3	Infostealer/Win.VBkrypt.R538363
Acronis	suspicious
ALYac	Trojan.GenericKD.64076658
MAX	malware (ai score=89)
VBA32	Malware-Cryptor.2LA.gen
Malwarebytes	Delphi.Trojan.Downloader.DDS
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXCLGZ
Rising	Trojan.Generic@AI.100 (RDML:GnUHy9s4BHS9r03QdVXEAA)
Ikarus	Trojan-Spy.Win32.Arkei
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HRUZ!tr

build2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All