Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 3, 2023, 5:55 p.m.	July 3, 2023, 6:05 p.m.

Size	152.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`66552aa98285ba1c58a90ae8eee06c7a`
SHA256	`8880dce3daf97e67a978a171305d7fd8f487fc74793ec760580bdd19197d77fd`
CRC32	`CF1D54DB`
ssdeep	`3072:4NLOpnhTdOw9YAJOzIY9gVl01T2ENipdDg0z5:4NLYdT97JSIFl0QENqF`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader PE_Header_Zero - PE File Signature Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

Dhepj.exe "C:\Users\test22\AppData\Local\Temp\Dhepj.exe"
2552
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
feeders.ninqshing.net	A 45.41.205.55	45.41.205.55

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.41.205.55	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 3, 2023, 5:55 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 3, 2023, 5:55 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2023, 5:55 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 3, 2023, 5:55 p.m.	stacktrace: dhepj+0x3738 @ 0x343738 dhepj+0x12a34 @ 0x352a34 dhepj+0x1570a @ 0x35570a dhepj+0x5ea7 @ 0x345ea7 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7 exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118 exception.instruction: movzx eax, word ptr [ecx] exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 209176 exception.address: 0x755e3118 registers.esp: 2945624 registers.edi: 2945756 registers.eax: 2945648 registers.ebp: 2945664 registers.edx: 35782656 registers.ebx: 0 registers.esi: 2945920 registers.ecx: 0	1
__exception__ July 3, 2023, 5:55 p.m.	stacktrace: LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389 RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6 RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395 RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05 RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52 RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5 New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a LoadLibraryW+0x11 GetModuleFileNameW-0x14 kernel32+0x1493c @ 0x755c493c dhepj+0xb517 @ 0x34b517 dhepj+0xa423 @ 0x34a423 dhepj+0xbb59 @ 0x34bb59 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84 exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4 exception.instruction: cmp dword ptr [eax], 0x48 exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 252596 exception.address: 0x76f4dab4 registers.esp: 63758340 registers.edi: 1 registers.eax: 268468152 registers.ebp: 63758344 registers.edx: 268468152 registers.ebx: 268435456 registers.esi: 1996562944 registers.ecx: 64	1
__exception__ July 3, 2023, 5:55 p.m.	stacktrace: RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12 @ 0x76d59c12 stacktrace+0x108 memdup-0x12b @ 0x739804f4 New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12 @ 0x76d59c12 stacktrace+0x108 memdup-0x12b @ 0x739804f4 exception.instruction_r: 41 8b 04 8b 4d 8d 14 8b 48 3b d8 72 1b 41 8b 42 exception.symbol: RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12 exception.instruction: mov eax, dword ptr [r11 + rcx*4] exception.module: ntdll.dll exception.exception_code: 0xc0000006 exception.offset: 171026 exception.address: 0x76d59c12 registers.r14: 33672515 registers.r15: 0 registers.rcx: 28365 registers.rsi: 0 registers.r10: 8791767107444 registers.rbx: 1424 registers.rsp: 8791762440492 registers.r11: 8791767031808 registers.r8: 9455 registers.r9: 6304 registers.rdx: 12606 registers.r12: 0 registers.rbp: -2651775755590807516 registers.rdi: 0 registers.rax: 9455 registers.r13: 275	1

Time & API

Arguments

Status

Return

Repeated

__exception__

July 3, 2023, 5:55 p.m.

stacktrace:

dhepj+0x3738 @ 0x343738
dhepj+0x12a34 @ 0x352a34
dhepj+0x1570a @ 0x35570a
dhepj+0x5ea7 @ 0x345ea7
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x755e3118
registers.esp: 2945624
registers.edi: 2945756
registers.eax: 2945648
registers.ebp: 2945664
registers.edx: 35782656
registers.ebx: 0
registers.esi: 2945920
registers.ecx: 0

__exception__

July 3, 2023, 5:55 p.m.

stacktrace:

LdrResFindResourceDirectory+0x606 RtlEncodeSystemPointer-0x3d ntdll+0x3e01b @ 0x76f4e01b
LdrLoadDll+0x2f5 _strcmpi-0x8a ntdll+0x3c72f @ 0x76f4c72f
RtlRunOnceComplete+0x3a4 LdrLoadDll-0xb1 ntdll+0x3c389 @ 0x76f4c389
RtlFlsAlloc+0x993 EtwNotificationRegister-0x13c ntdll+0x3f3f6 @ 0x76f4f3f6
RtlEncodeSystemPointer+0x33d RtlFindClearBits-0x454 ntdll+0x3e395 @ 0x76f4e395
RtlSetBits+0x115 RtlFlsAlloc-0x5e ntdll+0x3ea05 @ 0x76f4ea05
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x76f50f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x76f4e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x76f4ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x76f4e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x76f4d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x76f4c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x736ed4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75981d2a
LoadLibraryW+0x11 GetModuleFileNameW-0x14 kernel32+0x1493c @ 0x755c493c
dhepj+0xb517 @ 0x34b517
dhepj+0xa423 @ 0x34a423
dhepj+0xbb59 @ 0x34bb59
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 83 38 48 0f 82 39 ff 01 00 8b 48 40 85 c9 0f 84
exception.symbol: LdrResFindResourceDirectory+0x9f RtlEncodeSystemPointer-0x5a4 ntdll+0x3dab4
exception.instruction: cmp dword ptr [eax], 0x48
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 252596
exception.address: 0x76f4dab4
registers.esp: 63758340
registers.edi: 1
registers.eax: 268468152
registers.ebp: 63758344
registers.edx: 268468152
registers.ebx: 268435456
registers.esi: 1996562944
registers.ecx: 64

__exception__

July 3, 2023, 5:55 p.m.

stacktrace:

RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12 @ 0x76d59c12
stacktrace+0x108 memdup-0x12b @ 0x739804f4
New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12 @ 0x76d59c12
stacktrace+0x108 memdup-0x12b @ 0x739804f4

exception.instruction_r: 41 8b 04 8b 4d 8d 14 8b 48 3b d8 72 1b 41 8b 42
exception.symbol: RtlLookupFunctionEntry+0x72 RtlDecodePointer-0x3e ntdll+0x29c12
exception.instruction: mov eax, dword ptr [r11 + rcx*4]
exception.module: ntdll.dll
exception.exception_code: 0xc0000006
exception.offset: 171026
exception.address: 0x76d59c12
registers.r14: 33672515
registers.r15: 0
registers.rcx: 28365
registers.rsi: 0
registers.r10: 8791767107444
registers.rbx: 1424
registers.rsp: 8791762440492
registers.r11: 8791767031808
registers.r8: 9455
registers.r9: 6304
registers.rdx: 12606
registers.r12: 0
registers.rbp: -2651775755590807516
registers.rdi: 0
registers.rax: 9455
registers.r13: 275

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 3, 2023, 5:55 p.m.	process_identifier: 2552 region_size: 540672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03440000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW July 3, 2023, 5:55 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\freebl3.dll

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\mozglue.dll
file	C:\Users\test22\AppData\Local\Temp\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\softokn3.dll

Executes one or more WMI queries (1 event)

wmi

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\:Zone.Identifier

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.MakyJonteH.Trojan
Lionic	Trojan.Win32.Agent.Y!c
Elastic	Windows.Trojan.AveMaria
MicroWorld-eScan	Generic.ShellCode.RDI.Marte.1.519A884E
FireEye	Generic.mg.66552aa98285ba1c
CAT-QuickHeal	Trojan.Remcos
McAfee	GenericRXNI-EF!66552AA98285
Malwarebytes	Backdoor.AveMaria
VIPRE	Generic.ShellCode.RDI.Marte.1.519A884E
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0019d9b81 )
Alibaba	Trojan:Win32/Remcos.cb601851
K7GW	Trojan ( 0019d9b81 )
Cybereason	malicious.98285b
Arcabit	Generic.ShellCode.RDI.Marte.1.519A884E
BitDefenderTheta	Gen:NN.ZexaF.36270.juW@aC!YjWh
VirIT	Trojan.Win32.Genus.LQW
Cyren	W32/Agent.FYQ.gen!Eldorado
Symantec	Downloader!gm
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Warzone.A
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Malware.AveMaria-8799014-1
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Generic.ShellCode.RDI.Marte.1.519A884E
NANO-Antivirus	Trojan.Win32.Ric.htnucw
Avast	Win64:Trojan-gen
Tencent	Trojan.Win32.Agent.ybq
Emsisoft	Generic.ShellCode.RDI.Marte.1.519A884E (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen2
DrWeb	Trojan.Packed2.42633
Zillya	Trojan.Agent.Win32.1416121
TrendMicro	Backdoor.Win32.WARZONE.YXDF4Z
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.ch
Trapmine	malicious.high.ml.score
Sophos	Troj/Mocrt-A
Ikarus	Trojan-Spy.AveMaria
Jiangmin	Trojan.Agentb.eab
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.XPACK.Gen2
Antiy-AVL	Trojan/Win32.Agent
Gridinsoft	Trojan.Win32.Downloader.oa!s1
Xcitium	TrojWare.Win32.AntiAV.VA@81mmki
Microsoft	Trojan:Win32/Remcos!ic
ViRobot	Trojan.Win.Z.Agent.156160.AX
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Win32.Trojan.PSE.1A57F96
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R373692

Dhepj.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All