Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 30, 2023, 9:30 a.m.	May 30, 2023, 9:37 a.m.

Size	210.3KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c5f9705e5682c03412ec7ca32e22c17c`
SHA256	`07dd531c1198ecf78a9d85e26db1f642de2c06d7234f46f97941afbd28bb742f`
CRC32	`C18A527D`
ssdeep	`3072:6fY/TU9fE9PEtu0bzFrdlCvsJQ+NAPyY50ynTp4ExUmMnheVhgZR2dihmTV9J189:MYa6YzZdlC0G+UsIRxU8vbiC1/f8n9`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

macrigan2.1.exe "C:\Users\test22\AppData\Local\Temp\macrigan2.1.exe"
2056
- macrigan2.1.exe "C:\Users\test22\AppData\Local\Temp\macrigan2.1.exe"
  2176
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
cmark.duckdns.org	A 185.206.215.165	185.206.215.165

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.206.215.165	Active	Moloch
77.91.68.62	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.206.215.165:5165 -> 192.168.56.103:49168	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.206.215.165:5165	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 185.206.215.165:5165 -> 192.168.56.103:49166	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 30, 2023, 9:30 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 30, 2023, 9:31 a.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2023, 9:30 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Connects to a Dynamic DNS Domain (1 event)

domain

cmark.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 30, 2023, 9:30 a.m.	process_identifier: 2056 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 9:30 a.m.	process_identifier: 2056 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d40000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 9:31 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\kktpyhdm\irbwgpl.exe
file	C:\Users\test22\AppData\Local\Temp\nskC11A.tmp\yaybccuz.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nskC11A.tmp\yaybccuz.dll
file	C:\Users\test22\AppData\Roaming\kktpyhdm\irbwgpl.exe

Communicates with host for which no DNS query was performed (1 event)

host

77.91.68.62

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\uqajfoxtdxhq

reg_value

C:\Users\test22\AppData\Roaming\kktpyhdm\irbwgpl.exe "C:\Users\test22\AppData\Local\Temp\macrigan2.1.exe"

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA May 30, 2023, 9:30 a.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131545	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 called NtSetContextThread to modify thread in remote process 2176
NtSetContextThread May 30, 2023, 9:30 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000218 process_identifier: 2176	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Nemesis.22787
Cylance	unsafe
VIPRE	Gen:Variant.Nemesis.22787
Sangfor	Trojan.Win32.Injector.Vp9i
K7AntiVirus	Trojan ( 005a5fd91 )
Alibaba	TrojanPSW:Win32/Stealer.ce9c1144
K7GW	Trojan ( 005a5fd91 )
Cybereason	malicious.e5682c
Arcabit	Trojan.Nemesis.D5903 [many]
Cyren	W32/ABRisk.NIGP-1678
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ESZG
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Stealer.gen
BitDefender	Gen:Variant.Nemesis.22787
Avast	Win32:InjectorX-gen [Trj]
Tencent	Win32.Trojan-QQPass.QQRob.Rzfl
Emsisoft	Gen:Variant.Nemesis.22787 (B)
F-Secure	Trojan.TR/Redcap.arzob
DrWeb	Trojan.Uacbypass.28
TrendMicro	Backdoor.Win32.WARZONE.YXDE1Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
FireEye	Generic.mg.c5f9705e5682c034
Sophos	Mal/Generic-S
Avira	TR/AD.GenShell.uirrr
MAX	malware (ai score=84)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealer.gen
GData	Zum.Androm.1
Google	Detected
AhnLab-V3	Trojan/Win.NsisInject.C5433582
Acronis	suspicious
McAfee	Artemis!C5F9705E5682
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win32.WARZONE.YXDE1Z
Rising	Trojan.Nsisinject!8.11178 (TFE:5:8WvLT3aNmWT)
Ikarus	Trojan.Win32.Injector
Fortinet	W32/Injector.ESYW!tr
BitDefenderTheta	Gen:NN.ZedlaF.36250.gm4@aKKOiLk
AVG	Win32:InjectorX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

macrigan2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All