Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 26, 2023, 7:36 a.m.	June 26, 2023, 7:38 a.m.

Size	141.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4a04139d91df7de08a286bfe99cb4303`
SHA256	`565dab2ca2cccf49101da65093fb864c4857590db13be7d2fb943cfa2abad13e`
CRC32	`4920925E`
ssdeep	`3072:2k4aHUBOO36YplMqBB3ZcPxlG+bBsDHqYzHKG0qIwj:2dx3wqz3ZcDeDKYzqG01wj`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

wa.exe "C:\Users\test22\AppData\Local\Temp\wa.exe"
2068
- 172.exe "C:\Users\test22\AppData\Local\Temp\172.exe"
  2296
  - netsh.exe netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
    2344
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
microsoft.com	A 20.236.44.162 A 20.76.201.171 A 20.70.246.20 A 20.231.239.246 A 20.112.250.133	20.112.250.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.43.162.58	Active	Moloch
20.70.246.20	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 179.43.162.58:5200 -> 192.168.56.103:49163	2038897	ET MALWARE Warzone RAT Response (Inbound)	A Network Trojan was detected
TCP 179.43.162.58:5200 -> 192.168.56.103:49163	2038897	ET MALWARE Warzone RAT Response (Inbound)	A Network Trojan was detected
TCP 192.168.56.103:49168 -> 20.70.246.20:80	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 7:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 26, 2023, 7:37 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA June 26, 2023, 7:36 a.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2023, 7:36 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WM_DSP

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2023, 7:37 a.m.	process_identifier: 2068 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 26, 2023, 7:36 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW June 26, 2023, 7:37 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW June 26, 2023, 7:37 a.m.	number_of_free_clusters: 2425516 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (23 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 11\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 20\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 5\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 10\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 15\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 9\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 2\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 16\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 14\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 19\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Foreign language identified in PE resource (1 event)

name

WM_DSP

language

LANG_ENGLISH

filetype

PE32 executable (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_ARABIC_QATAR

offset

0x00156070

size

0x00002c00

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Local\Temp\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Program Files\Microsoft DN1\sqlmap.dll
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\172.exe
file	C:\Windows\System32\rfxvmt.dll

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\172.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\172.exe
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\softokn3.dll

Executes one or more WMI queries (1 event)

wmi

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 26, 2023, 7:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess June 26, 2023, 7:36 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x0000035c		0	0
NtTerminateProcess June 26, 2023, 7:36 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x0000035c	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389

Communicates with host for which no DNS query was performed (1 event)

host

179.43.162.58

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll

reg_value

%ProgramFiles%\Microsoft DN1\sqlmap.dll

Operates on local firewall's policies and settings (1 event)

cmdline

netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389

Harvests credentials from local email clients (2 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\wa.exe:Zone.Identifier

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Elastic	Windows.Trojan.AveMaria
MicroWorld-eScan	Generic.Dacic.B09FDD2A.A.194148F5
McAfee	PWS-FDNF!4A04139D91DF
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Agent.Win32.3406532
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0054d10e1 )
K7GW	Trojan ( 0054d10e1 )
Cybereason	malicious.d91df7
Arcabit	Generic.Dacic.B09FDD2A.A.194148F5
VirIT	Trojan.Win32.Genus.QJS
Cyren	W32/Antiav.INDT-0919
Symantec	Infostealer
ESET-NOD32	a variant of Win32/Warzone.A
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Downloader.Powershell-9856919-0
Kaspersky	Trojan.Win32.Agentb.jiad
BitDefender	Generic.Dacic.B09FDD2A.A.194148F5
NANO-Antivirus	Trojan.Win32.AntiAV.fljpfv
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10bebf78
Emsisoft	Generic.Dacic.B09FDD2A.A.194148F5 (B)
F-Secure	Trojan.TR/Redcap.ghjpt
DrWeb	Trojan.Uacbypass.28
VIPRE	Generic.Dacic.B09FDD2A.A.194148F5
TrendMicro	TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition	BehavesLike.Win32.Upatre.ch
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.4a04139d91df7de0
Sophos	Mal/EncPk-MP
Ikarus	Trojan.Win32.Warzone
Avira	TR/Redcap.ghjpt
Antiy-AVL	Trojan[APT]/Win32.Confucius
Microsoft	Trojan:Win32/Guildma!ic
ZoneAlarm	Trojan.Win32.Agentb.jiad
GData	Win32.Trojan.PSE.38UUO1
Google	Detected
AhnLab-V3	Trojan/Win32.AveMaria.R263895
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36270.iyW@ayAdNKci
ALYac	Generic.Dacic.B09FDD2A.A.194148F5
MAX	malware (ai score=87)
Cylance	unsafe
Panda	Trj/Genetic.gen
Zoner	Trojan.Win32.74962
TrendMicro-HouseCall	TrojanSpy.Win32.MOCRT.SM
Rising	Stealer.AveMaria!1.E64D (CLASSIC)
SentinelOne	Static AI - Malicious PE

wa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All