Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 9, 2023, 9:01 a.m.	May 9, 2023, 9:05 a.m.

Size	306.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`baa51dc77e43c436c429a9131ce4b152`
SHA256	`3a730aa52628321eea3dc14017a82e0da0ffbd72404de098f6c3e3809466af21`
CRC32	`8A0E433A`
ssdeep	`6144:XxgO8BdlEW0hpTunf3ll2RVdLXbn1pLaAow0G:iOWFo0nfVq1p3oV`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

009.jpg "C:\Users\test22\AppData\Local\Temp\009.jpg"
840

Name	Response	Post-Analysis Lookup
drucherblo.ru

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 282 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: E console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: E console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: E console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: T console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: h console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: v console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: n console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: a console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: m console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: a console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: c console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: u console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: l console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: n console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: t console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: b console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: o console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: l console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: v console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: d console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: E console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1
WriteConsoleA May 9, 2023, 9:01 a.m.	buffer: r console_handle: 0x0000000b	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2023, 9:01 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section	.textax
section	.dataax
section	.staocax
section	.rsrcax

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

RT_INC

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

drucherblo.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 286720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 49152 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 286720 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00454000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 262144 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 9:01 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA May 9, 2023, 9:01 a.m.	key_handle: 0x000002d8 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.MoywakA.Trojan
Lionic	Trojan.Win32.Yakes.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ransom.Zepto.3
FireEye	Generic.mg.baa51dc77e43c436
CAT-QuickHeal	Trojan.Sirefef.A
ALYac	Gen:Variant.Ransom.Zepto.3
Cylance	Unsafe
Zillya	Trojan.CoinMiner.Win32.796
Sangfor	Malware
K7AntiVirus	Trojan ( 0055e3fc1 )
Alibaba	Trojan:Win32/Kraziomel.8adb64cb
K7GW	Trojan ( 0055e3fc1 )
Cybereason	malicious.77e43c
Arcabit	Trojan.Ransom.Zepto.3
TrendMicro	TROJ_YAKES.DD
BitDefenderTheta	Gen:NN.ZexaF.34186.tuW@aCI8f4c
Cyren	W32/Trojan.JNGX-3887
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Gen:Variant.Ransom.Zepto.3
NANO-Antivirus	Trojan.Win32.Yakes.dahmou
SUPERAntiSpyware	Backdoor.Bot/Variant
Avast	Win32:Evo-gen [Susp]
Tencent	Win32.Trojan.Generic.Phzx
Ad-Aware	Gen:Variant.Ransom.Zepto.3
Comodo	Malware@#2j8aj70gyakn9
F-Secure	Heuristic.HEUR/AGEN.1104202
DrWeb	Trojan.BtcMine.148
VIPRE	Trojan.Win32.Sirefef.nb (v)
Invincea	heuristic
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.CoinMiner
Jiangmin	Trojan/Yakes.nbb
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1104202
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Yakes
Microsoft	Trojan:Win32/Kraziomel.D
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Ransom.Zepto.3
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.BitCoinMiner.R102015
Acronis	suspicious
McAfee	W32/RogueMiner.d
VBA32	Trojan.Yakes
Malwarebytes	Backdoor.Bot
ESET-NOD32	Win32/CoinMiner.CF

009.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All