Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 16, 2023, 9:28 a.m.	March 16, 2023, 9:30 a.m.

Size	174.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`e5e52fbd154bc8f2ac5bc61252c52055`
SHA256	`e71fc2076e32b31909a71ea6164875aa564093d46ad59d1168fd9719cb46ead3`
CRC32	`02EF85A7`
ssdeep	`3072:HfY/TU9fE9PEtu0bW0oDTYCg1B7FSroTQx5ki0Y/307M5KVCrt3UThTQdyvNsEi9:/Ya6AhCTg4oTE5/P0zVmB5UsASZ`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
2572
- qddlw.exe "C:\Users\test22\AppData\Local\Temp\qddlw.exe" C:\Users\test22\AppData\Local\Temp\dbnrrwnpp.ux
  2676
  - qddlw.exe "C:\Users\test22\AppData\Local\Temp\qddlw.exe"
    2720

Name	Response	Post-Analysis Lookup
sempersim.su	A 46.148.39.36	46.148.39.36

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.148.39.36	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 46.148.39.36:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 46.148.39.36:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 46.148.39.36:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 46.148.39.36:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 46.148.39.36:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 46.148.39.36:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.148.39.36:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 46.148.39.36:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 46.148.39.36:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 46.148.39.36:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 46.148.39.36:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 46.148.39.36:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 46.148.39.36:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 46.148.39.36:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 46.148.39.36:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 46.148.39.36:80 -> 192.168.56.101:49172	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 46.148.39.36:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 46.148.39.36:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 46.148.39.36:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 46.148.39.36:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 46.148.39.36:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 46.148.39.36:80 -> 192.168.56.101:49169	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 16, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 16, 2023, 9:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://sempersim.su/ha25/fre.php

Performs some HTTP requests (1 event)

request

POST http://sempersim.su/ha25/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://sempersim.su/ha25/fre.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

sempersim.su

description

Soviet Union domain TLD

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 16, 2023, 9:27 a.m.	process_identifier: 2572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2023, 9:27 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2023, 9:27 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\qddlw.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 16, 2023, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2676 called NtSetContextThread to modify thread in remote process 2720
NtSetContextThread March 16, 2023, 9:27 a.m.	registers.eip: 1995571652 registers.esp: 2095228 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f0 process_identifier: 2720	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
FireEye	Generic.mg.e5e52fbd154bc8f2
McAfee	Artemis!E5E52FBD154B
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta	Gen:NN.ZexaCO.36344.dqW@aaRAPll
Cyren	W32/Injector.SZDO-0098
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector.ESUJ
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Gorgon.gen
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	Win32:InjectorX-gen [Trj]
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
DrWeb	Trojan.Loader.1342
VIPRE	Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition	BehavesLike.Win32.ICLoader.cc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan-Spy.FormBook
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Babar.172047
Google	Detected
ALYac	Gen:Variant.Babar.172047
MAX	malware (ai score=80)
Rising	Trojan.Generic@AI.87 (RDML:BlpMf0/pa79IWI8d/dofCA)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.ESTE!tr
AVG	Win32:InjectorX-gen [Trj]

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All