Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 18, 2023, 6:21 p.m.	July 18, 2023, 6:25 p.m.

Size	285.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`3b08d70445120f2ef571828dde9d6be3`
SHA256	`d402a53f58b386e523432ddf1c94e44cea111587c6a2714681b0669f2304cb30`
CRC32	`1BD9FE17`
ssdeep	`6144:vYa6HRWFm8hpwLZFlJ+bi5GQ8lqxMz/wF0N:vY9bKetF6etLHmN`
Yara	UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

csrssnj.exe "C:\Users\test22\AppData\Local\Temp\csrssnj.exe"
2556
- csrssnj.exe "C:\Users\test22\AppData\Local\Temp\csrssnj.exe"
  2652

Name	Response	Post-Analysis Lookup
www.ketotop5reviews.com	CNAME ketotop5reviews.com A 192.145.237.146	192.145.237.146
www.tugrow.top	A 66.29.131.66	66.29.131.66
www.morubixaba.com	A 84.32.84.32 CNAME morubixaba.com	84.32.84.32
www.dsgdltrg.top	A 20.239.76.242	20.239.76.242
www.selectenoil.ru	A 185.26.122.80	185.26.122.80
www.amateurshow.online	A 37.220.1.68	37.220.1.68
www.kbtcoin.store	A 98.124.224.17
www.redhelpers.com	A 185.53.178.54	185.53.178.54
www.grandiosoyacht.com	CNAME grandiosoyacht.com A 195.110.124.133	195.110.124.133
www.my-bbs.com	CNAME zhs.zohosites.com A 136.143.186.12	136.143.186.12
www.fatimaest.com	CNAME fatimaest.com A 184.168.113.171	184.168.113.171
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
162.55.60.2	Active	Moloch
136.143.186.12	Active	Moloch
164.124.101.2	Active	Moloch
184.168.113.171	Active	Moloch
185.26.122.80	Active	Moloch
185.53.178.54	Active	Moloch
192.145.237.146	Active	Moloch
195.110.124.133	Active	Moloch
20.239.76.242	Active	Moloch
37.220.1.68	Active	Moloch
45.33.6.223	Active	Moloch
66.29.131.66	Active	Moloch
84.32.84.32	Active	Moloch
98.124.224.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49178 -> 66.29.131.66:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 18, 2023, 6:21 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 18, 2023, 6:21 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (21 events)

request	POST http://www.redhelpers.com/hjdr/
request	GET http://www.redhelpers.com/hjdr/?JoeyZNb=YpqjTLELgUY/d4HafFE0oWZw/2NHDnY7eLtpu3Vtdcx4Jmz4rSZ5sKv2kTetxC3MAYUYmW4b6AXmlFI5jsCc5u3R6xF6PL4DkSBTPts=&kiz0=gXOMyhyi
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
request	POST http://www.kbtcoin.store/hjdr/
request	GET http://www.kbtcoin.store/hjdr/?JoeyZNb=OwT5fv3sMTyOF+WfoJr7V4VQqd+KzZL/KnHGdxnHtEh6vKw2S4OQP3sFw22/E53lopKvyHA6/BpX1iqNoYoz3wrhxCmlsV1/FTq7bdo=&kiz0=gXOMyhyi
request	POST http://www.grandiosoyacht.com/hjdr/
request	GET http://www.grandiosoyacht.com/hjdr/?JoeyZNb=ZIVepfGD+AffZCHV3Ol2oKUOXbfpNq4HeENG2f+1jk6NDjMSW9zSeGZmFetCeOX/fHb8BZzbaKu2Gddb3M9ccYXeJy9E2DDJWKKyeEo=&kiz0=gXOMyhyi
request	POST http://www.my-bbs.com/hjdr/
request	GET http://www.my-bbs.com/hjdr/?JoeyZNb=gZwhwv+rj0JfbTlqQcvCJrahgucLKkM9Bn0g5rP7m3ePlM4d2wH7QHnXu7wnbI4S+7v4pDbRSdO7OKXzsqAdXWWFdviCngERcentyWw=&kiz0=gXOMyhyi
request	POST http://www.ketotop5reviews.com/hjdr/
request	GET http://www.ketotop5reviews.com/hjdr/?JoeyZNb=Yijs5dzIRgyLtiEm8YVKzxzJARaaz1ygyQUAo47Y9YLXxcdZabP3kXt0loAI/PeeKKlEWCnqNGNFZU2DmCnSgcsd1psmTY3qHW8m6k0=&kiz0=gXOMyhyi
request	POST http://www.morubixaba.com/hjdr/
request	GET http://www.morubixaba.com/hjdr/?JoeyZNb=64l4nBwickRj5+B55yI4aT/AdbB/zOm/2hMG5E84rPCqZYVtS3+3gGKYYg0k5NU9ycD4+LRnqZYt8h6mEz9Kk96FRyUaLOgeH1rhAn8=&kiz0=gXOMyhyi
request	POST http://www.tugrow.top/hjdr/
request	GET http://www.tugrow.top/hjdr/?JoeyZNb=2Lz3cRNcgovZAvoxkyTJJkVbnS/f0a6U88mjUIjg2Los90+Pf0cBdPH279Q+Q6Q5Wf8ziDEK77rXCjEWctJre0mQm9v094R3uDXqBk4=&kiz0=gXOMyhyi
request	POST http://www.fatimaest.com/hjdr/
request	GET http://www.fatimaest.com/hjdr/?JoeyZNb=n5l8tCTW94Gw/giJefkHUbcRETzENs4hM9d2TK2mvTwTwL/1t4K1O3bDrGWsk3Qh+CJ6/CMThOr1qV0fFyX4yPVWltqTiQZmXL1as4k=&kiz0=gXOMyhyi
request	POST http://www.amateurshow.online/hjdr/
request	GET http://www.amateurshow.online/hjdr/?JoeyZNb=xX5SVKkWhoDut3GzBaDmppnEHsg/q+4SKSfyO6xSWbIBYORImKJaBpt9iPBmVz2FT2wLfcB9Y2Q6assiK3BzS8oN8k0Uh6RuPdoxrUM=&kiz0=gXOMyhyi
request	POST http://www.selectenoil.ru/hjdr/
request	GET http://www.selectenoil.ru/hjdr/?JoeyZNb=sypAAqbL6Kbr584vXjavsMmnNbwkS+CAk00myYDn5pA6KuObmwsMPbuKx5sNOB5qiBdVaRcAgh8i/dcpaiFWtM7VI0mAReEdx1J8t80=&kiz0=gXOMyhyi

Sends data using the HTTP POST Method (10 events)

request	POST http://www.redhelpers.com/hjdr/
request	POST http://www.kbtcoin.store/hjdr/
request	POST http://www.grandiosoyacht.com/hjdr/
request	POST http://www.my-bbs.com/hjdr/
request	POST http://www.ketotop5reviews.com/hjdr/
request	POST http://www.morubixaba.com/hjdr/
request	POST http://www.tugrow.top/hjdr/
request	POST http://www.fatimaest.com/hjdr/
request	POST http://www.amateurshow.online/hjdr/
request	POST http://www.selectenoil.ru/hjdr/

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	www.selectenoil.ru	description	Russian Federation domain TLD
domain	www.tugrow.top	description	Generic top level domain TLD
domain	www.dsgdltrg.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 18, 2023, 6:21 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 6:21 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7394f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:21 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03160000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:21 p.m.	process_identifier: 2652 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsuF07C.tmp\dfxfdsscdv.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsuF07C.tmp\dfxfdsscdv.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 18, 2023, 6:21 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

162.55.60.2

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2652
NtSetContextThread July 18, 2023, 6:21 p.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199632 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2652	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

20.239.76.242:80

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.tshg
MicroWorld-eScan	Gen:Variant.Babar.226047
FireEye	Generic.mg.3b08d70445120f2e
ALYac	Gen:Variant.Babar.226047
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Strab.e576088b
K7GW	Trojan ( 005a8b321 )
K7AntiVirus	Trojan ( 005a8b321 )
Arcabit	Trojan.Babar.D372FF
VirIT	Trojan.Win32.Genus.RZS
Cyren	W32/Injector.BOI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.ETCT
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Babar.226047
Avast	Win32:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Strab.Uimw
Emsisoft	Gen:Variant.Babar.226047 (B)
F-Secure	Trojan.TR/Injector.ncvgs
VIPRE	Gen:Variant.Babar.226047
TrendMicro	TROJ_GEN.R002C0DGE23
McAfee-GW-Edition	BehavesLike.Win32.Generic.dc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Webroot	W32.Trojan.Gen
Avira	TR/AD.Swotter.joxfo
Antiy-AVL	Trojan/Win32.Injector
Xcitium	Malware@#3rh50nozg4ga4
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.PSE.99LH14
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R587806
Acronis	suspicious
McAfee	Artemis!3B08D7044512
MAX	malware (ai score=86)
Malwarebytes	Trojan.Injector
Panda	Trj/CI.A
TrendMicro-HouseCall	TROJ_GEN.R002H0CGE23
Rising	Trojan.Injector!1.E835 (CLASSIC)
SentinelOne	Static AI - Suspicious PE
Fortinet	NSIS/Agent.DCAC!tr
AVG	Win32:TrojanX-gen [Trj]

csrssnj.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All