Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 21, 2022, 5:41 p.m.	Dec. 21, 2022, 5:46 p.m.

Size	153.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`996dcccaa3103179f6b980b2a66957be`
SHA256	`0a5d1edacfafff8bef4a4009291b438be7f757609077c2bf5057da38cceab228`
CRC32	`C3D07DBA`
ssdeep	`3072:5lTSr+vbmJr0epbY01SYZDv70l/zBUsrmpOZm3p/14i4rU5h5QfNXcw4L:5kwpR01TZv76zZoZ/1ogf6F4L`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
dezember22.duckdns.org	A 212.86.115.220	212.86.115.220

IP Address	Status	Action
164.124.101.2	Active	Moloch
212.86.115.220	Active	Moloch

Flow	SID	Signature	Category
TCP 212.86.115.220:1992 -> 192.168.56.103:49166	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 212.86.115.220:1992	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 21, 2022, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 21, 2022, 5:41 p.m.		1	1	0

section

.ndata

domain

dezember22.duckdns.org

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 21, 2022, 5:41 p.m.	process_identifier: 2120 region_size: 4001792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 5:41 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 21, 2022, 5:42 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Roaming\swnb\xkgupliolm.exe
file	C:\Users\test22\AppData\Local\Temp\vvkktbc.exe

file	C:\Users\test22\AppData\Roaming\swnb\xkgupliolm.exe

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wkoy

reg_value

C:\Users\test22\AppData\Roaming\swnb\xkgupliolm.exe "C:\Users\test22\AppData\Local\Temp\vvkktbc.exe" C:\Users\test22\AppData\Loca

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Dec. 21, 2022, 5:42 p.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	5702119	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2120 called NtSetContextThread to modify thread in remote process 2192
NtSetContextThread Dec. 21, 2022, 5:41 p.m.	registers.eip: 2005598660 registers.esp: 3865528 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000118 process_identifier: 2192	1	0	0

MicroWorld-eScan	Trojan.Garf.Gen.6
FireEye	Trojan.Garf.Gen.6
ALYac	Trojan.NSISX.Spy.Gen.24
Cylance	Unsafe
VIPRE	Trojan.Garf.Gen.6
Arcabit	Trojan.Garf.Gen.6 [many]
BitDefenderTheta	Gen:NN.ZexaF.36158.euW@a8UA!coi
Cyren	W32/Agent.FMN.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector_AGen.PF
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Formbook.gen
BitDefender	Trojan.Garf.Gen.6
Avast	FileRepMalware [Misc]
Emsisoft	Trojan.Garf.Gen.6 (B)
Google	Detected
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Backdoor:Win32/Remcos!MTB
GData	Gen:Variant.Jaik.109900
McAfee	Artemis!996DCCCAA310
MAX	malware (ai score=89)
Ikarus	Trojan.NSIS.Agent
Fortinet	W32/Injector.ESFO!tr
AVG	FileRepMalware [Misc]

nojo2.2.exe