Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2023, 5:54 p.m.	May 4, 2023, 5:58 p.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`43da6da02ab057b4b4b100c727b3fc69`
SHA256	`6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a`
CRC32	`DEA31CB7`
ssdeep	`49152:LBF4fConfgEO/xmkAdTojvMwtzKCA7aPWU:1OaonfgEbujUwtz3A7aOU`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

Halkbank.exe "C:\Users\test22\AppData\Local\Temp\Halkbank.exe"
2656
- wscript.exe "C:\Windows\System32\wscript.exe" Update-ia.c.vbe
  2792
  - eepvjjf.pif "C:\eegv\eepvjjf.pif" buge.exe
    2908
    - RegSvcs.exe "C:\Users\test22\AppData\Local\Temp\RegSvcs.exe"
      2980

Name	Response	Post-Analysis Lookup
report1.duckdns.org	A 185.16.38.253	185.16.38.253
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.16.38.253	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.101:49169 -> 185.16.38.253:3380	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49169 185.16.38.253:3380	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2023, 5:54 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2023, 5:54 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

report1.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 4, 2023, 5:54 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2023, 5:54 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73872000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2023, 5:54 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 328 seconds, actually delayed analysis time by 328 seconds

Creates (office) documents on the filesystem (18 events)

file	C:\eegv\suqw.pdf
file	C:\eegv\vxeodm.xls
file	C:\eegv\wesaswarpm.xls
file	C:\eegv\pxxt.docx
file	C:\eegv\gwvkihgbth.ppt
file	C:\eegv\fvkctce.pdf
file	C:\eegv\mvjxf.xls
file	C:\eegv\jolojgkvt.pdf
file	C:\eegv\hfdmlkv.xls
file	C:\eegv\pcgh.docx
file	C:\eegv\oqpg.docx
file	C:\eegv\cqmorjr.docx
file	C:\eegv\qwquwr.pdf
file	C:\eegv\crupx.xls
file	C:\eegv\gitpqumj.docx
file	C:\eegv\dwktvnq.ppt
file	C:\eegv\oked.ppt
file	C:\eegv\ncvwgifaxh.pdf

Creates executable files on the filesystem (9 events)

file	C:\eegv\eepvjjf.pif
file	C:\eegv\Update-ia.c.vbe
file	C:\eegv\reujc.dll
file	C:\eegv\buge.exe
file	C:\Users\test22\temp\nulfijae.exe
file	C:\eegv\wcnortcu.exe
file	C:\eegv\nulfijae.exe
file	C:\eegv\kcuvdpkpmh.dll
file	C:\eegv\fmdx.exe

Drops a binary and executes it (1 event)

file	C:\eegv\eepvjjf.pif

Yara rule detected in process memory (29 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 4ac9fbf738fde247afd4049ae3b4bf8a9a099cf2

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 4, 2023, 5:54 p.m.	process_identifier: 2980 region_size: 5292032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000134	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

reg_value

c:\eegv\eepvjjf.pif c:\eegv\buge.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 4, 2023, 5:54 p.m.	buffer: ÿÿÿÿGû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2980 process_handle: 0x00000134	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 4, 2023, 5:54 p.m.	thread_identifier: 0 callback_function: 0x004798a7 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00470000	1	1376629	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2908 called NtSetContextThread to modify thread in remote process 2980
NtSetContextThread May 4, 2023, 5:54 p.m.	registers.eip: 1995571652 registers.esp: 4651544 registers.edi: 0 registers.eax: 4862714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000128 process_identifier: 2980	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\eegv\eepvjjf.pif" buge.exe
parent_process	wscript.exe				martian_process	eepvjjf.pif buge.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 resumed a thread in remote process 2792
Process injection	Process 2908 resumed a thread in remote process 2980
NtResumeThread May 4, 2023, 5:54 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2792	1	0	0
NtResumeThread May 4, 2023, 5:54 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2980	1	0	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread May 4, 2023, 5:54 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 2656	1	0
CreateProcessInternalW May 4, 2023, 5:54 p.m.	thread_identifier: 2796 thread_handle: 0x000002c8 process_identifier: 2792 current_directory: C:\eegv filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\wscript.exe" Update-ia.c.vbe filepath_r: C:\Windows\System32\wscript.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtResumeThread May 4, 2023, 5:54 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2792	1	0
CreateProcessInternalW May 4, 2023, 5:54 p.m.	thread_identifier: 2912 thread_handle: 0x0000037c process_identifier: 2908 current_directory: C:\eegv filepath: C:\eegv\eepvjjf.pif track: 1 command_line: "C:\eegv\eepvjjf.pif" buge.exe filepath_r: C:\eegv\eepvjjf.pif stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000370	1	1
CreateProcessInternalW May 4, 2023, 5:54 p.m.	thread_identifier: 2984 thread_handle: 0x00000128 process_identifier: 2980 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\RegSvcs.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000134	1	1
NtGetContextThread May 4, 2023, 5:54 p.m.	thread_handle: 0x00000128	1	0
NtAllocateVirtualMemory May 4, 2023, 5:54 p.m.	process_identifier: 2980 region_size: 5292032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000134	1	0
WriteProcessMemory May 4, 2023, 5:54 p.m.	buffer: base_address: 0x00470000 process_identifier: 2980 process_handle: 0x00000134	1	1
WriteProcessMemory May 4, 2023, 5:54 p.m.	buffer: ÿÿÿÿGû~(ü~Pý~mèÿÿ jHâý~± base_address: 0x7efde000 process_identifier: 2980 process_handle: 0x00000134	1	1
NtSetContextThread May 4, 2023, 5:54 p.m.	registers.eip: 1995571652 registers.esp: 4651544 registers.edi: 0 registers.eax: 4862714 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000128 process_identifier: 2980	1	0
NtResumeThread May 4, 2023, 5:54 p.m.	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2980	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lisk.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66719227
FireEye	Generic.mg.43da6da02ab057b4
CAT-QuickHeal	Trojan.Sabsik
McAfee	Artemis!43DA6DA02AB0
Malwarebytes	Delphi.Trojan.Downloader.DDS
VIPRE	Trojan.GenericKD.66719227
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a45ec1 )
Alibaba	TrojanDropper:Win32/Runner.241becdf
K7GW	Trojan ( 005a45ec1 )
Cybereason	malicious.02ab05
Cyren	W32/ABRisk.TBRO-2528
ESET-NOD32	VBS/Runner.ODN
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Dropper.Win32.Sysn.dahu
BitDefender	Trojan.GenericKD.66719227
NANO-Antivirus	Trojan.Win32.Autoit.jtxofu
Avast	Win32:Malware-gen
Tencent	Win32.Trojan-Dropper.Sysn.Ckjl
Emsisoft	Trojan.GenericKD.66719227 (B)
F-Secure	Trojan.TR/AD.Remcos.sxywh
McAfee-GW-Edition	BehavesLike.Win32.Generic.tc
Sophos	Mal/Generic-S
Avira	TR/AD.Remcos.sxywh
Gridinsoft	Ransom.Win32.Wacatac.oa!s1
Arcabit	Trojan.Generic.D3FA0DFB
ZoneAlarm	Trojan-Dropper.Win32.Sysn.dahu
GData	Trojan.GenericKD.66719227
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5420483
VBA32	Trojan.Agent
ALYac	Trojan.GenericKD.66719227
MAX	malware (ai score=82)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DDS23
Rising	Trojan.Generic@AI.92 (RDML:LPIK/WBVvDDWZLFKkkugyg)
Ikarus	Trojan.Script
Fortinet	W32/Agent.PIF!tr
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

Halkbank.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All