Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2023, 10:56 a.m.	July 3, 2023, 10:58 a.m.

Size	21.3MB
Type	RAR archive data, v5
MD5	`2b3d3bcf435c1400b8a85945d6fe2d15`
SHA256	`2665c55ee0796f4954a237dc213e413dd961fd43821a40f7df5674c9a33e2e47`
CRC32	`C48D1312`
ssdeep	`393216:yEGw1XQPLZdF/QblgMwU0zgLgeswpECSISff/GOyIAaR5xVqAi:yE3yZdF/0PwU0zSgyFi/8I75xVqAi`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "McnIGBJteFIGDC" C:\Users\test22\AppData\Local\Temp\Passw0rd_1122_To_Open_Archive.rar
3032
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\Passw0rd_1122_To_Open_Archive.rar"
  2200

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
79.137.195.246	Active	Moloch
91.103.252.3	Active	Moloch
94.158.245.22	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49175 -> 79.137.195.246:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 79.137.195.246:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2036934	ET MALWARE Win32/RecordBreaker CnC Checkin M1	A Network Trojan was detected
TCP 91.103.252.3:80 -> 192.168.56.102:49179	2036955	ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	A Network Trojan was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 91.103.252.3:80 -> 192.168.56.102:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49181 -> 94.158.245.22:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected
TCP 94.158.245.22:80 -> 192.168.56.102:49181	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.158.245.22:80 -> 192.168.56.102:49181	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49179 -> 91.103.252.3:80	2036884	ET HUNTING Possible Generic Stealer Sending System Information	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2023, 10:56 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2023, 10:56 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://79.137.195.246/client7/enc.exe
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://91.103.252.3/
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://91.103.252.3/29337380ca3f6eacdd49120039f37335
suspicious_features	Connection to IP address	suspicious_request	GET http://94.158.245.22/SK2E6ZYBFLD885TK/14013878658799951837.bin

Performs some HTTP requests (11 events)

request	GET http://79.137.195.246/client7/enc.exe
request	POST http://91.103.252.3/
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
request	GET http://91.103.252.3/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
request	POST http://91.103.252.3/29337380ca3f6eacdd49120039f37335
request	GET http://94.158.245.22/SK2E6ZYBFLD885TK/14013878658799951837.bin

Sends data using the HTTP POST Method (2 events)

request	POST http://91.103.252.3/
request	POST http://91.103.252.3/29337380ca3f6eacdd49120039f37335

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 3, 2023, 10:56 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 3, 2023, 10:56 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE898CF1BA\Main_Installer.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 3, 2023, 10:56 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW July 3, 2023, 10:56 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (3 events)

host	79.137.195.246
host	91.103.252.3
host	94.158.245.22

Passw0rd_1122_To_Open_Archive.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All