Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 30, 2023, 4:33 p.m.	May 30, 2023, 4:35 p.m.

Size	150.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`6cac87c1e2aa3e15837dcfff9d23cf0c`
SHA256	`0e559f3efa6f366f034a981007c2a64d0ee64c956f733f65727d7af1be0e34c3`
CRC32	`1D00C53B`
ssdeep	`3072:XfY/TU9fE9PEtuZbJ56Ac2a42J+gISQ5Ga3gazDzED81jGoKdv+3W:PYa6P7gh4uISQ8a3ga/zED2av+3W`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

Signed Proposal pdf.exe "C:\Users\test22\AppData\Local\Temp\Signed Proposal pdf.exe"
2560
- Signed Proposal pdf.exe "C:\Users\test22\AppData\Local\Temp\Signed Proposal pdf.exe"
  2656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
171.22.30.147	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 171.22.30.147:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 171.22.30.147:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 171.22.30.147:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 171.22.30.147:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 171.22.30.147:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 171.22.30.147:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 171.22.30.147:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 171.22.30.147:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 171.22.30.147:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 171.22.30.147:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 171.22.30.147:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 171.22.30.147:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 30, 2023, 4:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 30, 2023, 4:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 30, 2023, 4:33 p.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2023, 4:33 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 30, 2023, 4:33 p.m.	stacktrace: signed proposal pdf+0x12fdd @ 0x412fdd signed proposal pdf+0x1296e @ 0x41296e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec exception.symbol: signed proposal pdf+0x2b41 exception.instruction: mov cl, byte ptr [edx] exception.module: Signed Proposal pdf.exe exception.exception_code: 0xc0000005 exception.offset: 11073 exception.address: 0x402b41 registers.esp: 40959796 registers.edi: 34595271 registers.eax: 40960032 registers.ebp: 40959804 registers.edx: 6561792 registers.ebx: 40960032 registers.esi: 221997766 registers.ecx: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used, Connection to IP address

suspicious_request

POST http://171.22.30.147/lee/five/fre.php

Performs some HTTP requests (1 event)

request

POST http://171.22.30.147/lee/five/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://171.22.30.147/lee/five/fre.php

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 30, 2023, 4:33 p.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:33 p.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:33 p.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03170000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsrEFFF.tmp\ymorogeay.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsrEFFF.tmp\ymorogeay.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 30, 2023, 4:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

171.22.30.147

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread May 30, 2023, 4:33 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000214 process_identifier: 2656	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66838101
FireEye	Generic.mg.6cac87c1e2aa3e15
CAT-QuickHeal	Trojandropper.Nuldrop
ALYac	Trojan.GenericKD.66838101
Malwarebytes	Trojan.Injector.NSIS
Sangfor	Dropper.Win32.Nuldrop.Vneu
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.66838101
K7GW	Trojan ( 005a4d631 )
K7AntiVirus	Trojan ( 005a4d631 )
VirIT	Trojan.Win32.GenusB.DGFT
Cyren	W32/Injector.BMS.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.ESXO
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Dropper.Win32.Nuldrop.gen
Alibaba	TrojanDropper:Win32/Nuldrop.895623d3
Rising	Dropper.Nuldrop!8.12FBE (TFE:6:JVqELmcccnI)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Redcap.bywtf
DrWeb	Trojan.PWS.Siggen3.29640
VIPRE	Trojan.GenericKD.66838101
TrendMicro	TROJ_GEN.R002C0DE323
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Trapmine	malicious.moderate.ml.score
Emsisoft	Trojan.GenericKD.66838101 (B)
SentinelOne	Static AI - Suspicious PE
Google	Detected
Avira	TR/AD.LokiBot.avuxm
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Injector
Microsoft	Trojan:Win32/Guloader.SS!MTB
Gridinsoft	Ransom.Win32.LokiBot.bot
Arcabit	Trojan.Generic.D3FBDE55
ZoneAlarm	UDS:Trojan-Dropper.Win32.Nuldrop.gen
GData	Trojan.GenericKD.66838101
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.LoginCridential.C5421997
McAfee	Artemis!6CAC87C1E2AA
DeepInstinct	MALICIOUS
VBA32	Trojan.LokiBot
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H0DE323
Tencent	Win32.Trojan-Dropper.Nuldrop.Ddhl
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/ESXO!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.1e2aa3

Signed Proposal pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All