Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 2, 2023, 8:51 a.m.	April 2, 2023, 8:55 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6418bc223b6880e2276b4ef2415544b1`
SHA256	`47d79e9977b50909c657e4497073b797e898f833e0728602a8d75ebd0abde021`
CRC32	`D20222C2`
ssdeep	`24576:ZGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRXj5hgSe:8pEUIvU0N9jkpjweXt77z5q/`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Credential_User_Data_Check_Zero - Credential User Data Check SQLite_cookies_Check_Zero - SQLite Cookie Check... select Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

handdiy_6.exe "C:\Users\test22\AppData\Local\Temp\handdiy_6.exe"
2572
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2716
  - taskkill.exe taskkill /f /im chrome.exe
    2776
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2904
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208
    2948
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2908 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
    3016

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
www.ippfinfo.top	A 178.18.252.110	178.18.252.110

IP Address	Status	Action
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
178.18.252.110	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.101:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 178.18.252.110:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 178.18.252.110:443	C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia RSA DV TLS CA G2	CN=www.ippfinfo.top	d3:a0:ee:8d:57:c1:a8:45:01:49:11:aa:77:a0:96:06:3f:c2:e1:5b

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 2, 2023, 8:51 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 2, 2023, 8:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (34 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:45 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0
IsDebuggerPresent April 2, 2023, 8:44 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 2, 2023, 8:51 a.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Locales\ko.pak
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.beknccr

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 2, 2023, 8:45 a.m.	stacktrace: 0x622e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x622e04 registers.r14: 183037040 registers.r15: 183037480 registers.rcx: 1388 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 107824080 registers.rsp: 183036216 registers.r11: 183040736 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1548 registers.r12: 31831936 registers.rbp: 183036352 registers.rdi: 31568192 registers.rax: 6434304 registers.r13: 183036912	1	0	0

Performs some HTTP requests (1 event)

request

GET https://www.ippfinfo.top/

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 2, 2023, 8:44 a.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 2, 2023, 8:44 a.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 2, 2023, 8:44 a.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2904 crashed
__exception__ April 2, 2023, 8:45 a.m.	stacktrace: 0x622e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x622e04 registers.r14: 183037040 registers.r15: 183037480 registers.rcx: 1388 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 107824080 registers.rsp: 183036216 registers.r11: 183040736 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1548 registers.r12: 31831936 registers.rbp: 183036352 registers.rdi: 31568192 registers.rax: 6434304 registers.r13: 183036912	1	0	0

Steals private information from local Internet browsers (42 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-64292168-B58.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-63327DF3-A54.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162fd0

size

0x0000c2cb

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162180

size

0x00000ca8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162e28

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162e40

size

0x0000018c

Creates executable files on the filesystem (6 events)

file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000d600', u'virtual_address': u'0x00162000', u'entropy': 7.811308325043267, u'name': u'.rsrc', u'virtual_size': u'0x0000d420'}

entropy

7.81130832504

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW April 2, 2023, 8:51 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 1131 events)

url	https://clients4.google.com/invalidation/android/request/
url	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url	http://services.ukrposhta.com/postindex_new/
url	http://dts.search-results.com/sr?lng=
url	http://inposdom.gob.do/codigo-postal/
url	http://creativecommons.org/ns
url	http://www.postur.fo/
url	https://qc.search.yahoo.com/search?ei=
url	https://cacert.omniroot.com/baltimoreroot.crt09
url	https://codereview.chromium.org/25305002).
url	https://search.yahoo.com/search?ei=
url	http://t1.symcb.com/ThawtePCA.crl0/
url	http://crbug.com/31395.
url	https://support.google.com/chrome/answer/165139
url	https://ct.googleapis.com/aviator/
url	https://datasaver.googleapis.com/v1/clientConfigs
url	http://crl.starfieldtech.com/sfroot-g2.crl0L
url	https://ct.startssl.com/
url	https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url	https://de.search.yahoo.com/favicon.ico
url	https://github.com/GoogleChrome/Lighthouse/issues
url	http://www.searchnu.com/favicon.ico
url	https://support.google.com/installer/?product=
url	http://msdn.microsoft.com/en-us/library/ms792901.aspx
url	https://www.najdi.si/search.jsp?q=
url	http://x.ss2.us/x.cer0
url	http://crl.geotrust.com/crls/gtglobal.crl04
url	https://accounts.google.com/ServiceLogin
url	https://accounts.google.com/OAuthLogin
url	https://c.android.clients.google.com/
url	https://www.google.com/tools/feedback/chrome/__submit
url	https://chrome.google.com/webstore/category/collection/dark_themes
url	http://check.googlezip.net/generate_204
url	http://ocsp.starfieldtech.com/08
url	http://www.guernseypost.com/postcode_finder/
url	http://crl.certum.pl/ca.crl0h
url	http://ator
url	https://suggest.yandex.by/suggest-ff.cgi?part=
url	http://feed.snap.do/?q=
url	https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url	http://www.language
url	https://support.google.com/chrome/
url	http://developer.chrome.com/apps/declare_permissions.html
url	https://ct.googleapis.com/rocketeer/
url	https://www.globalsign.com/repository/03
url	http://www.startssl.com/sfsca.crl0
url	http://UA-Compatible
url	https://se.search.yahoo.com/search?ei=
url	http://EVSecure-ocsp.geotrust.com0
url	https://developers.google.com/web/fundamentals/accessibility/accessible-styles

Yara rule detected in process memory (50 out of 1330 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal
description	Virtual currency	rule	Virtual_currency_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Steal credential	rule	local_credential_Steal

Queries for potentially installed applications (7 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW April 2, 2023, 8:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW April 2, 2023, 8:51 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW April 2, 2023, 8:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW April 2, 2023, 8:51 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e0 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW April 2, 2023, 8:52 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW April 2, 2023, 8:52 a.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW April 2, 2023, 8:52 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000520 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	taskkill /f /im chrome.exe
cmdline	cmd.exe /c taskkill /f /im chrome.exe

One or more non-whitelisted processes were created (3 events)

parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2908 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1228,4823154349599797563,10012881036719196851,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=54A3D3629DE5A58D4FF8AA657879BB80 --mojo-platform-channel-handle=1244 --ignored=" --type=renderer " /prefetch:2

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

Resumed a suspended thread in a remote process potentially indicative of process injection (36 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2948 resumed a thread in remote process 2904
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0
NtResumeThread April 2, 2023, 8:45 a.m.	thread_handle: 0x0000000000000154 suspend_count: 2 process_identifier: 2904	1	0	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.ZomcoLwocqeN.Trojan
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Lazy.318125
FireEye	Generic.mg.6418bc223b6880e2
ALYac	Gen:Variant.Lazy.318125
Cylance	unsafe
Zillya	Trojan.Agent.Win32.3252738
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 0056c7821 )
K7GW	Spyware ( 0056c7821 )
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Lazy.D4DAAD
BitDefenderTheta	Gen:NN.ZexaF.36344.CD0@amnc9Xpj
VirIT	Trojan.Win32.PSWStealer.EUD
Cyren	W32/Trojan.SICT-8657
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.Agent.PYV
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.Script.FBStealer.gen
BitDefender	Gen:Variant.Lazy.318125
NANO-Antivirus	Trojan.Script.Stealer.jvhbnw
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10be23f5
TACHYON	Trojan/W32.FBStealer.1511936
Emsisoft	Gen:Variant.Lazy.318125 (B)
F-Secure	Heuristic.HEUR/AGEN.1307847
DrWeb	Trojan.Siggen19.56605
VIPRE	Gen:Variant.Lazy.318125
McAfee-GW-Edition	BehavesLike.Win32.Generic.th
Trapmine	malicious.high.ml.score
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Script.awer
Avira	HEUR/AGEN.1307847
Gridinsoft	Spy.Win32.Socelars.bot
Microsoft	Trojan:Win32/RedLineStealer.RT!MTB
ZoneAlarm	HEUR:Trojan.Script.FBStealer.gen
GData	Gen:Variant.Lazy.318125
Google	Detected
AhnLab-V3	Trojan/Win.Socelars.C5388913
Acronis	suspicious
McAfee	GenericRXVN-KN!6418BC223B68
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Agentb
Malwarebytes	Spyware.Socelars
Rising	Stealer.FBAdsCard!1.CE03 (CLASSIC)
Yandex	TrojanSpy.Agent!LWiA6/o4emo
Ikarus	Trojan-Spy.Win32.Agent

handdiy_6.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All