Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 24, 2023, 9:09 a.m.	July 24, 2023, 9:12 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`8d6d682cbd51a88075c184966aa0de17`
SHA256	`23c4264ba50fd5d23c28dc1d20ddff78e90fa4d80464b01a522c2acea3a47f37`
CRC32	`574CB1CE`
ssdeep	`49152:dbgVRyoQy3/CKsjkmQaHcc2AVyY17ImirKmwaOAi:d29QRpkmQC2L+72rKmG`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

install-alevrola.exe "C:\Users\test22\AppData\Local\Temp\install-alevrola.exe"
2568
- ccagent.exe C:\Users\test22\AppData\Roaming\ACommander\ccagent.exe
  2716
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 24, 2023, 9:09 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 24, 2023, 9:09 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 24, 2023, 9:09 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ba4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72be2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2023, 9:11 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004160000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 24, 2023, 9:09 a.m.	process_identifier: 2716 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 24, 2023, 9:09 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13319467008 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\ACommander\ccmain.exe
file	C:\Users\test22\AppData\Roaming\ACommander\uninstall.exe
file	C:\Users\test22\Desktop\ACommander.lnk
file	C:\Users\test22\AppData\Roaming\ACommander\ccagent.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\ACommander.lnk

Drops an executable to the user AppData folder (3 events)

file	C:\Users\test22\AppData\Roaming\ACommander\ccmain.exe
file	C:\Users\test22\AppData\Roaming\ACommander\ccagent.exe
file	C:\Users\test22\AppData\Roaming\ACommander\uninstall.exe

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ccagent.exe				reg_value	C:\Users\test22\AppData\Roaming\ACommander\ccagent.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell				reg_value	C:\Users\test22\AppData\Roaming\ACommander\ccmain.exe

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.THAfakeAntivirusJX.Heur
Lionic	Trojan.Win32.Shutdowner.l4Z2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Fakealert.40979
ClamAV	Win.Trojan.FakeAV-638
ALYac	Trojan.Fakealert.40979
Cylance	unsafe
Sangfor	Trojan.Win32.FakeAlert.Vi26
K7AntiVirus	Trojan ( 7000000f1 )
Alibaba	AdWare:Win32/PrivacyCenter.2be7682e
K7GW	Trojan ( 7000000f1 )
Cybereason	malicious.cbd51a
VirIT	Trojan.Win32.Fakealert.WAW
Cyren	W32/FakeAlert.BI.gen!Eldorado
Symantec	PrivacyCenter
ESET-NOD32	multiple detections
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	UDS:Trojan.Win32.Generic
BitDefender	Trojan.Fakealert.40979
NANO-Antivirus	Trojan.Win32.FraudPack.dxibod
Avast	NSIS:FakeAV-G [Trj]
Rising	Trojan.Win32.FakeAV.boy (CLASSIC)
Emsisoft	Trojan.Fakealert.40979 (B)
F-Secure	Trojan.TR/ATRAPS.Gen
DrWeb	Trojan.Fakealert.14894
VIPRE	Trojan.Fakealert.40979
TrendMicro	Mal_FakeAV-12
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
FireEye	Generic.mg.8d6d682cbd51a880
Sophos	Mal/FakeAV-AA
Ikarus	Rogue.Win32.PrivacyCenter
GData	Trojan.Fakealert.40979
Jiangmin	TrojanDownloader.NSIS.aa
Webroot	W32.Malware.Gen
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan[Downloader]/Win32.NSIS
Gridinsoft	Rogue.Win32.Gen.bot!i
Xcitium	TrojWare.Win32.ShutDowner.NSIS@1r04e7
Arcabit	Trojan.Fakealert.DA013
SUPERAntiSpyware	Trojan.Agent/Gen-CodecFake
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Rogue:Win32/PrivacyCenter
Google	Detected
AhnLab-V3	Trojan/Win.Fraudpack.R420421
McAfee	Artemis!8D6D682CBD51
MAX	malware (ai score=100)
VBA32	TScope.Trojan.Delf
Malwarebytes	Rogue.Installer
Panda	Trj/CI.A

install-alevrola.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All