Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 28, 2023, 10:49 p.m.	Jan. 28, 2023, 11:28 p.m.

Size	817.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9e870f801dd759298a34be67b104d930`
SHA256	`6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b`
CRC32	`D5BB15B4`
ssdeep	`24576:5sGzuMNu2HWJD2U1zANRGTfllqapvYaqom:5tLezwRW3vJ`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

NINJA.exe "C:\Users\test22\AppData\Local\Temp\NINJA.exe"
2540
- cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1
  2688
  - schtasks.exe schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1
    2796
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
ninja1337.zapto.org	A 94.207.64.73	94.207.64.73

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.207.64.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028703	ET POLICY DNS Query to DynDNS Domain *.zapto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 28, 2023, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 28, 2023, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 28, 2023, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 28, 2023, 10:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 28, 2023, 10:49 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 28, 2023, 10:49 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 28, 2023, 10:49 p.m.	buffer: SUCCESS: The scheduled task "SBADLH.exe" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 28, 2023, 10:49 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	aHc
section	Security

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Connects to a Dynamic DNS Domain (1 event)

domain

ninja1337.zapto.org

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 28, 2023, 10:49 p.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73352000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Jan. 28, 2023, 10:50 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SBADLH.lnk
file	C:\Users\test22\AppData\Roaming\Windata\system.exe
file	C:\Users\test22\AppData\Local\Temp\SBADLH.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SBADLH.lnk

Creates a suspicious process (2 events)

cmdline	schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Windata\system.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: wsqmcons.exe process_identifier: 2344	1	1
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: NINJA.exe process_identifier: 2540	1	1
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: schtasks.exe process_identifier: 2620	1	1
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: conhost.exe process_identifier: 2628	1	1
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: cmd.exe process_identifier: 2688	1	1
Process32NextW Jan. 28, 2023, 10:49 p.m.	snapshot_handle: 0x0000030c process_name: conhost.exe process_identifier: 2724	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0005a200', u'virtual_address': u'0x000f0000', u'entropy': 7.913543981454384, u'name': u'Security', u'virtual_size': u'0x0005b000'}

entropy

7.91354398145

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00072000', u'virtual_address': u'0x0014b000', u'entropy': 7.956578929974608, u'name': u'.rsrc', u'virtual_size': u'0x00072000'}

entropy

7.95657892997

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

wscript.exe

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SBADLH	reg_value	"C:\Users\test22\AppData\Roaming\Windata\system.exe"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SBADLH.lnk
cmdline	schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1
cmdline	C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\test22\AppData\Roaming\Windata\system.exe /sc minute /mo 1

Executes one or more WMI queries (1 event)

wmi	Select * from AntiVirusProduct

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

94.207.64.73:4000

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.LodaRat.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.65162573
FireEye	Generic.mg.9e870f801dd75929
ALYac	Trojan.GenericKD.65162573
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056c7c41 )
Alibaba	Backdoor:Script/LodaRat.b9d7053f
Cybereason	malicious.01dd75
Arcabit	Trojan.Generic.D3E24D4D
Cyren	W32/AutoIt.VB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Autoit.EJ
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Txt.Malware.LodaRAT-9769386-0
Kaspersky	HEUR:Backdoor.Script.LodaRat.a
BitDefender	Trojan.GenericKD.65162573
Avast	AutoIt:KeyLogger-R [Trj]
Tencent	Script.Backdoor.Lodarat.Gkjl
Emsisoft	Trojan.GenericKD.65162573 (B)
F-Secure	Heuristic.HEUR/AGEN.1201152
DrWeb	Trojan.AutoIt.1195
VIPRE	Trojan.GenericKD.65162573
TrendMicro	TROJ_GEN.R03BC0PAQ23
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.cc
Sophos	Mal/Generic-S (PUA)
Jiangmin	Trojan.AutoItScript.c
Webroot	W32.Trojan.GenKD
Avira	HEUR/AGEN.1201152
MAX	malware (ai score=81)
Antiy-AVL	Trojan[Backdoor]/Script.Lodarat
Gridinsoft	Trojan.Heur!.03212061
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	VHO:Backdoor.Win32.Convagent.gen
GData	Trojan.GenericKD.65162573
Google	Detected
McAfee	Artemis!9E870F801DD7
VBA32	Trojan.Autoit.F
Malwarebytes	Malware.AI.2574267502
TrendMicro-HouseCall	TROJ_GEN.R03BC0PAQ23
Rising	Backdoor.888Rat/Autoit!1.C8E3 (CLASSIC)
Ikarus	Trojan.Autoit
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Agent.DB!tr
BitDefenderTheta	AI:Packer.1D0DF3E616
AVG	AutoIt:KeyLogger-R [Trj]

NINJA.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All