Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 14, 2023, 9:31 a.m.	June 14, 2023, 9:50 a.m.

Size	448.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`19b622abb084dd8e156e0c28b43f4581`
SHA256	`26bc3f623a9937fe3f33af5039cc6a09b9e33ac1fcfc2b7a282529ee9caa4ff1`
CRC32	`81F533D7`
ssdeep	`6144:dWTmPFFV0JPoPT5HYWXoDokZ+CpO3jMoHACVlngcguHVUz9KHVUz94GZG7MAyAZ2:d10JQDo8kZ+CM3jaCVlgLZ8TZ2`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description)

munqk.exe "C:\Users\test22\AppData\Local\Temp\munqk.exe"
2556

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.111.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.199.108.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 185.199.108.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.199.108.133:443 -> 192.168.56.101:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 185.199.108.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (12 events)

Time & API	Arguments	Status
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636196 registers.edi: 1636472 registers.eax: 1636196 registers.ebp: 1636276 registers.edx: 0 registers.ebx: 5398024 registers.esi: 1636472 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5398024 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1
__exception__ June 14, 2023, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636876 registers.edi: 5398024 registers.eax: 1636876 registers.ebp: 1636956 registers.edx: 0 registers.ebx: 5398024 registers.esi: 5398024 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 14, 2023, 9:31 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 14, 2023, 9:31 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)

reg_value

C:\Users\test22\AppData\Roaming\\

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Tedy.323153
FireEye	Generic.mg.19b622abb084dd8e
Malwarebytes	Inject.Exploit.Shellcode.DDS
Sangfor	Suspicious.Win32.Save.vb
Arcabit	Trojan.Tedy.D4EE51
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ESAP
APEX	Malicious
BitDefender	Gen:Variant.Tedy.323153
Avast	Win32:RATX-gen [Trj]
Emsisoft	Gen:Variant.Tedy.323153 (B)
VIPRE	Gen:Variant.Tedy.323153
Trapmine	malicious.moderate.ml.score
Ikarus	Trojan-Spy.Agent
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.Injector
Microsoft	Trojan:Win32/Pony.AT!MTB
GData	Gen:Variant.Tedy.323153
Google	Detected
VBA32	Malware-Cryptor.VB.gen.1
ALYac	Gen:Variant.Tedy.323153
Rising	Backdoor.DcRat!8.129D9 (TFE:5:dHsoB4Jq8qS)
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS

munqk.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All