Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 25, 2023, 9:27 a.m.	May 25, 2023, 9:35 a.m.

Size	176.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`1923b005546de11d38b39e4d3874c045`
SHA256	`9e6e64943441faf5cdc7195644c00b4fede1e8f13a4a12edf61768ff140e7310`
CRC32	`3CC75176`
ssdeep	`3072:WfY/TU9fE9PEtuDbsVHN+FlzTs5gJsEUsYnKSu2umlOBw:AYa6RsVtmoeHQs2umN`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

macilak2.1.exe "C:\Users\test22\AppData\Local\Temp\macilak2.1.exe"
1680
- macilak2.1.exe "C:\Users\test22\AppData\Local\Temp\macilak2.1.exe"
  2052
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
cmark.duckdns.org	A 185.206.215.165	185.206.215.165

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.206.215.165	Active	Moloch

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 185.206.215.165:5165 -> 192.168.56.103:49165	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 185.206.215.165:5165	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 9:27 a.m.		1	1	0

section

.ndata

domain

cmark.duckdns.org

Time & API	Arguments	Status
NtAllocateVirtualMemory May 25, 2023, 9:27 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 9:27 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d50000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 9:20 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nshBF07.tmp\jovewpm.dll
file	C:\Users\test22\AppData\Roaming\soxtdmirbwgc\luqajenj.exe

file	C:\Users\test22\AppData\Local\Temp\nshBF07.tmp\jovewpm.dll
file	C:\Users\test22\AppData\Roaming\soxtdmirbwgc\luqajenj.exe

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\scxhqmvrbkgp

reg_value

C:\Users\test22\AppData\Roaming\soxtdmirbwgc\luqajenj.exe "C:\Users\test22\AppData\Local\Temp\macilak2.1.exe"

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 25, 2023, 9:27 a.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131541	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1680 called NtSetContextThread to modify thread in remote process 2052
NtSetContextThread May 25, 2023, 9:27 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000230 process_identifier: 2052	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
DrWeb	Trojan.Loader.1506
MicroWorld-eScan	Gen:Variant.Nemesis.22780
McAfee	Artemis!1923B005546D
Cylance	unsafe
Sangfor	Trojan.Win32.Injector.Vm2j
Cybereason	malicious.5546de
Arcabit	Trojan.Nemesis.D58FC [many]
Cyren	W32/Injector.BNH.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector_AGen.XI
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Nemesis.22780
Avast	FileRepMalware [Trj]
Emsisoft	Gen:Variant.Nemesis.22780 (B)
VIPRE	Gen:Variant.Nemesis.22780
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.1923b005546de11d
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Zum.Androm.1
AhnLab-V3	Infostealer/Win.Generic.C5395778
MAX	malware (ai score=81)
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
Rising	Trojan.Generic@AI.97 (RDML:Ln8GmusAGxhFyDgcUmJTVw)
Ikarus	Trojan.NSIS.Agent
Fortinet	W32/Injector.ESYW!tr
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

macilak2.1.exe