Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 13, 2023, 9:36 a.m.	March 13, 2023, 9:48 a.m.

Size	328.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`961c9c4f65267e43e44e13b6bf265f6f`
SHA256	`156432010c9c69932d05b3420b22ae89d29e4d858e0626031ed4856f1b3a00cd`
CRC32	`929231A6`
ssdeep	`6144:+Ya6e3D2t9hg068nDs+wW2bRmLhW4dlNNwl4jmfX5GJBL12Q0u:+YY3D2L68nDdwW2VUJdlNNQkmv5GZ2Qf`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
top.noforabusers1.xyz	A 103.114.163.134	103.114.163.134

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 103.114.163.134:2404	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49165 103.114.163.134:2404	None	None	None

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 13, 2023, 9:36 a.m.		1	1	0

section

.ndata

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

request

GET http://geoplugin.net/json.gp

Time & API	Arguments	Status
NtProtectVirtualMemory March 13, 2023, 9:36 a.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a82000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 13, 2023, 9:36 a.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 13, 2023, 9:36 a.m.	process_identifier: 2116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\xoxytqkz.exe

file	C:\Users\test22\AppData\Local\Temp\xoxytqkz.exe

file	C:\Users\test22\AppData\Local\Temp\xoxytqkz.exe

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2072 called NtSetContextThread to modify thread in remote process 2116
NtSetContextThread March 13, 2023, 9:36 a.m.	registers.eip: 2005598660 registers.esp: 1964108 registers.edi: 0 registers.eax: 4729168 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c4 process_identifier: 2116	1	0	0

MicroWorld-eScan	Trojan.GenericKD.65896220
ALYac	Gen:Variant.Zusy.452601
Malwarebytes	Generic.Trojan.Malicious.DDS
VIPRE	Gen:Variant.Nemesis.15914
Sangfor	Trojan.Win32.Injector.V05a
Alibaba	Trojan:Win32/Injector.22211cbf
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Nemesis.D3E2A [many]
Cyren	W32/Injector.BKL.gen!Eldorado
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESTW
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKD.65896220
Avast	Win32:PWSX-gen [Trj]
DrWeb	Trojan.Loader.1338
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.961c9c4f65267e43
Emsisoft	Gen:Variant.Nemesis.15914 (B)
SentinelOne	Static AI - Suspicious PE
Avira	TR/AD.Remcos.wzhox
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Injector
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Tiggre!rfn
GData	Gen:Variant.Zusy.452601
Google	Detected
McAfee	Artemis!961C9C4F6526
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CCB23
Rising	Trojan.Injector!8.C4 (CLOUD)
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/Injector.ESTE!tr
BitDefenderTheta	Gen:NN.ZexaF.36308.dqW@aOG0L2j
AVG	Win32:PWSX-gen [Trj]

yam.exe