Summary | ZeroBOX

pass1234_setup.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 17, 2023, 3:55 p.m. Aug. 17, 2023, 3:58 p.m.
Size 5.8MB
Type 7-zip archive data, version 0.4
MD5 8155b0ec79e7e80cdab9b7fbdfac1a4c
SHA256 2705b1a4187b9b8a96e51383543f308673db76ee39cb417fa67cf639d6c27594
CRC32 F76B6A59
ssdeep 98304:2J9uf43ddxJJpN6X8R/sAdMyiGKbMXCkBiIebydDignl8Y1t++U0Tb1BFjyNGqUI:2J9usdxJQsR/sASyipYC0jzdD8Y1t++k
Yara None matched

IP Address Status Action
103.100.211.218 Active Moloch
104.17.214.67 Active Moloch
104.192.141.1 Active Moloch
104.21.9.89 Active Moloch
104.26.5.15 Active Moloch
121.254.136.27 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
156.236.72.121 Active Moloch
163.123.143.4 Active Moloch
164.124.101.2 Active Moloch
172.67.75.163 Active Moloch
193.233.254.61 Active Moloch
194.169.175.128 Active Moloch
194.169.175.233 Active Moloch
208.67.104.60 Active Moloch
34.117.59.81 Active Moloch
45.15.156.229 Active Moloch
51.83.170.21 Active Moloch
77.91.124.231 Active Moloch
77.91.124.54 Active Moloch
87.121.221.58 Active Moloch
87.240.132.78 Active Moloch
87.240.185.144 Active Moloch
87.240.185.158 Active Moloch
93.186.227.134 Active Moloch
94.142.138.131 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.124.231/info/photo551.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.124.231/info/photo551.exe
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.233.254.61/loghub/master
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://77.91.124.231/info/photo551.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://77.91.124.231/info/photo551.exe
request HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://zzz.fhauiehgha.com/m/okka25.exe
request POST http://193.233.254.61/loghub/master
request GET http://45.15.156.229/api/tracemap.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://busell.store/setup294.exe
request GET https://vk.com/doc647736509_665757351?hash=xRNMJvtBxeMy9F0ahVhVsVflJbZD3QhaFKB8SVYcH0D&dl=kYv4t3v9Ds2wZeYJd9j0pkiCfCSj0PVEWEjq6i56Xf0&api=1&no_preview=1
request GET https://sun9-55.userapi.com/c909628/u647736509/docs/d12/f72ab395cffd/PMmp.bmp?extra=NEaDTBOuefQ2B8QBX6xUPwZDSW8bnMhC2aUgngVAf_uXwfYqQgy3B8_v1uRdw3nm9FHqWDJJZ51JLJy1p_oZt7BBOpIXerIGYSLZhb-2FhjtQWvhh_mhLCglL67FNraydwtM9x7XMIvrTNawvA
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://vk.com/doc801981293_667803773?hash=4TZb5YnWuA82PVbdDAhWZa2MZaLOxCkMyK03PTWXZ7k&dl=ybWpay00uXdDBpwpvEqOzXKaXInNaUyNw2LywEIZEV8&api=1&no_preview=1#new
request GET https://vk.com/doc647736509_665757334?hash=BLle7vdX3iFMB4azpVJZYs9WrN6tEhp1wsHXrbQ6Ufz&dl=vr8PySakhGw7js63wfoBEncgnNsFZVbFO8czAHxd9Bk&api=1&no_preview=1#WW1
request GET https://sun9-37.userapi.com/c237231/u647736509/docs/d56/8e14ffa72cce/WWW1.bmp?extra=78GAMabH9oO1WBAySv7MDUhIItpKOCZbdOgIVDBAp41hmtogaewY2Dn2y1klnfsi_O4JX1dijipA4Bwa5yFfR2XuCyc5QF5-PuLYXAr-ea11gOlGW160iI4-PeBt5y-9oontYoqQn9G2Fufs-A
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://vk.com/doc801981293_667856853?hash=u4TwZPGmvpaLEXEgEofjgmISgf2DosuyvS7wFUA0tZk&dl=8pK0VUDG0zKxMEJJ6FyyCNKfZqf5zwCbcvZUj3dqtQs&api=1&no_preview=1
request GET https://vk.com/doc647736509_665757320?hash=dfBBWeSNlNkIvHcK2uMdd2AbZmqfwD2ZZg0vYymBkR0&dl=gjNC6HkPkk10dAOYzHDYqNL4zQsWEaKk2Lm1A39kSP0&api=1&no_preview=1#rise
request GET https://sun9-23.userapi.com/c909628/u647736509/docs/d6/2b03bce96a50/RisePro.bmp?extra=_gy9Fkc7ia4J1Y4oYNfs8Xa7wrsLFOGxt4OpQp8otyquVNDz4hADbtQtsCt1LZFzxYGMCCBgIFUNP94-Q7GaUH2Pr13mFrSm3KrQYFFsKlyok7wZHZ-2ou-7FIkAO62qCjGtmie1x6mRM3bQPw
request GET https://db-ip.com/demo/home.php?s=175.208.134.152
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST http://94.142.138.131/api/firegate.php
request POST http://193.233.254.61/loghub/master
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
domain iplis.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737e3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zE4982FBFA\File.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 163.123.143.4
host 193.233.254.61
host 194.169.175.128
host 194.169.175.233
host 208.67.104.60
host 45.15.156.229
host 51.83.170.21
host 77.91.124.231
host 77.91.124.54
host 87.121.221.58
host 94.142.138.131
dead_host 192.168.56.102:49187
dead_host 87.121.221.58:80
dead_host 163.123.143.4:80
dead_host 194.169.175.233:80