Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 11, 2023, 10:52 p.m.	June 11, 2023, 11:18 p.m.

Size	192.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`6b43c223d7bf1db3d6287decf2504719`
SHA256	`45019feacbc0f134ab73298cacbd7283fed41bb664fd9336759b29bd249adb5c`
CRC32	`974412C6`
ssdeep	`3072:2fY/TU9fE9PEtuDb9w0Tf9g9Cg5tHlQGoksOZaFxnNwl3PJjttdjW/8ZKt6ak9:gYa6B9w079g9X3H1ysa/n05djIZ6L9`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

ojawar2.1.exe "C:\Users\test22\AppData\Local\Temp\ojawar2.1.exe"
1904
- ojawar2.1.exe "C:\Users\test22\AppData\Local\Temp\ojawar2.1.exe"
  2056
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
hightense.duckdns.org	A 84.54.50.66	84.54.50.66

IP Address	Status	Action
164.124.101.2	Active	Moloch
84.54.50.66	Active	Moloch

Flow	SID	Signature	Category
TCP 84.54.50.66:6060 -> 192.168.56.103:49165	2036735	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	Malware Command and Control Activity Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.103:49165 -> 84.54.50.66:6060	2036734	ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin	Malware Command and Control Activity Detected

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 11, 2023, 10:23 p.m.	computer_name: TEST22-PC	1	1	0

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 11, 2023, 10:23 p.m.		1	1	0

section

.ndata

domain

hightense.duckdns.org

Time & API	Arguments	Status
NtAllocateVirtualMemory June 11, 2023, 10:23 p.m.	process_identifier: 1904 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:23 p.m.	process_identifier: 1904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d60000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2023, 10:16 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

file	C:\Users\test22\AppData\Roaming\ravfbktpyie\njscxhqmv.exe
file	C:\Users\test22\AppData\Local\Temp\nslBEA9.tmp\svyoyx.dll

file	C:\Users\test22\AppData\Roaming\ravfbktpyie\njscxhqmv.exe
file	C:\Users\test22\AppData\Local\Temp\nslBEA9.tmp\svyoyx.dll

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qajfoxtdyir

reg_value

C:\Users\test22\AppData\Roaming\ravfbktpyie\njscxhqmv.exe "C:\Users\test22\AppData\Local\Temp\ojawar2.1.exe"

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA June 11, 2023, 10:23 p.m.	thread_identifier: 0 callback_function: 0x004074c0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131537	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1904 called NtSetContextThread to modify thread in remote process 2056
NtSetContextThread June 11, 2023, 10:23 p.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4216632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2056	1	0	0

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Trojan.Generic.33921099
McAfee	Artemis!6B43C223D7BF
Malwarebytes	Generic.Malware/Suspicious
Sangfor	Infostealer.Win32.Agent.Vo1z
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanPSW:Win32/Stealer.386515a4
K7GW	Trojan ( 005a6cb51 )
Arcabit	Trojan.Generic.D205984B
Cyren	W32/ABTrojan.ACUL-0640
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Warzone.A
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Stealer.gen
BitDefender	Trojan.Generic.33921099
Avast	Win32:InjectorX-gen [Trj]
Emsisoft	Trojan.Generic.33921099 (B)
F-Secure	Trojan.TR/Injector.udwwj
DrWeb	Trojan.PWS.Maria.3
VIPRE	Trojan.Generic.33921099
TrendMicro	Backdoor.Win32.WARZONE.YXDFJZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
FireEye	Generic.mg.6b43c223d7bf1db3
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Avira	TR/AD.GenShell.sarlx
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealer.gen
GData	Win32.Backdoor.AMRat.BMUOCS
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.C5395778
ALYac	Trojan.Generic.33921099
MAX	malware (ai score=85)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.WARZONE.YXDFJZ
Rising	Trojan.Injector!8.C4 (CLOUD)
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:InjectorX-gen [Trj]
DeepInstinct	MALICIOUS

ojawar2.1.exe