Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 12, 2022, 11:21 a.m.	Dec. 12, 2022, 11:25 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e79b48eefa43aa34f360f68618992236`
SHA256	`55bb9a076d815eeae19471e6a1e81339eef87e6dc17c95a7b3615f52b6677ecd`
CRC32	`29C4FB68`
ssdeep	`12288:WCtS8G87R1WbCPLQhXW9XUvNHBAG/5YhnUAQyjTeYEJvRsA5X3JKC8:WCP7vLIW5uXzA7jTeYEdRsAe`
Yara	Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

explorer.exe "C:\Users\test22\AppData\Local\Temp\explorer.exe"
2076
- cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul
  2196
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
gy9.gyddos.com

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.89.255.250	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 45.89.255.250:40404	2025135	ET MALWARE [PTsecurity] Botnet Nitol.B Checkin	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 12, 2022, 11:21 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Dec. 12, 2022, 11:21 a.m.	service_start_name: start_type: 2 password: display_name: Ghijkl Nopqrstu Wxyabcde Ghij filepath: C:\Windows\mquoeo.exe service_name: Ghijkl Nopqrstu Wxy filepath_r: C:\Windows\mquoeo.exe desired_access: 983551 service_handle: 0x002c4480 error_control: 1 service_type: 272 service_manager_handle: 0x002c4520	1	2901120	0

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul
cmdline	"C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\explorer.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 12, 2022, 11:21 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul filepath: C:\Windows\System32\cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00009600', u'virtual_address': u'0x0000c000', u'entropy': 7.9087798973133, u'name': u'.data', u'virtual_size': u'0x00009410'}

entropy

7.90877989731

description

A section with a high entropy has been found

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Windows\System32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul
cmdline	"C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Local\Temp\explorer.exe > nul

Communicates with host for which no DNS query was performed (1 event)

host

45.89.255.250

Installs itself for autorun at Windows startup (1 event)

service_name

Ghijkl Nopqrstu Wxy

service_path

C:\Windows\mquoeo.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\explorer.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2076 resumed a thread in remote process 2196
NtResumeThread Dec. 12, 2022, 11:21 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2196	1	0	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Generic.32461213
McAfee	Artemis!E79B48EEFA43
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0052f7bd1 )
Alibaba	Trojan:Win32/Crampes.15e7df72
K7GW	Riskware ( 0052f7bd1 )
Cybereason	malicious.483e8f
Cyren	W32/ABRisk.SEGO-6842
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	Win32/RiskWare.PEMalform.J
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Crampes.a
BitDefender	Trojan.Generic.32461213
Avast	Win32:Evo-gen [Trj]
Tencent	Win32.Trojan.FalseSign.Vwhl
Ad-Aware	Trojan.Generic.32461213
Emsisoft	Trojan.Generic.32461213 (B)
VIPRE	Trojan.Generic.32461213
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e79b48eefa43aa34
SentinelOne	Static AI - Suspicious PE
GData	Trojan.Generic.32461213
Jiangmin	Trojan.Crampes.dw
Antiy-AVL	Trojan/Win32.Dynamer
Gridinsoft	Trojan.Win32.AI.cl
Arcabit	Trojan.Generic.D1EF519D
ZoneAlarm	HEUR:Trojan.Win32.Crampes.a
Microsoft	DDoS:Win32/Nitol.L
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R539958
MAX	malware (ai score=87)
Rising	Trojan.Swrort!8.296 (TFE:2:CCuO7nvtECH)
Fortinet	MalwThreat!E1E6IV
BitDefenderTheta	Gen:NN.ZexaF.36106.nD3@a8Kxhshi
AVG	Win32:Evo-gen [Trj]
Panda	Trj/CI.A

explorer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All