Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js

Latest News
09.20 07:09
Sanofi’s Multiple Scle...
09.20 07:09
Dark Web Profile: Just...
09.20 07:09
[PASCON 2024-영상] 브로드컴 ...
09.20 07:09
독일 법 집행 기관 토르 브라우저(Tor...
09.20 07:09
[UPDATE] [hoch] CoreDN...
09.20 07:09
[UPDATE] [niedrig] Kub...
09.20 07:09
[UPDATE] [mittel] GNU ...
09.20 07:09
[UPDATE] [mittel] GNU ...
09.20 07:09
[UPDATE] [mittel] Fast...
09.20 07:09
[UPDATE] [hoch] GNU Em...

Summary | ZeroBOX

RaiDrive_2023.9.0_x64.exe

Gen1 Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) ASPack Antivirus UPX Malicious Packer dll BMP Format MSOffice File PE File icon PE64 OS Processor Check JPEG Format PE32 CAB DLL DllRegisterServer

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 11, 2023, 5:54 p.m.	Sept. 11, 2023, 6 p.m.

Size	16.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a523a20f9993d562a1e2761d930cc243`
SHA256	`e8c944b9a94b79f2d5a2783d1c20a555d66e6912c077a8a47617da5f0c5caa78`
CRC32	`CA23C7EF`
ssdeep	`196608:0fl0kYa0SgYavcpMFYeBL/pbtc+swO+7moMVzMvWHpxh7HxMSKoTXKsKIwiTs1v1:mRY/0GrKI7moMV4vWMSKUCsog+wx+w23`
PDB Path	C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb
Yara	Malicious_Library_Zero - Malicious_Library CAB_file_format - CAB archive file UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Antivirus - Contains references to security software IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

RaiDrive_2023.9.0_x64.exe "C:\Users\test22\AppData\Local\Temp\RaiDrive_2023.9.0_x64.exe"
2620

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 11, 2023, 5:54 p.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 11, 2023, 5:54 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72792000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05c40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 11, 2023, 5:54 p.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (19 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\ total_number_of_bytes: 0		0	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\ total_number_of_bytes: 0		0	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\ total_number_of_bytes: 0		0	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13303910400 free_bytes_available: 13303910400 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 13303910400	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13303881728 free_bytes_available: 13303881728 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13303881728	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13302226944 free_bytes_available: 13302226944 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13302226944	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13302226944 free_bytes_available: 13302226944 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13302226944	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13302226944 free_bytes_available: 13302226944 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13302226944	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13300834304 free_bytes_available: 13300834304 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13300834304	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13300666368 free_bytes_available: 13300666368 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13300666368	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13300301824 free_bytes_available: 13300301824 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13300301824	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13300146176 free_bytes_available: 13300146176 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13300146176	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13293010944 free_bytes_available: 13293010944 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13293010944	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13289668608 free_bytes_available: 13289668608 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13289668608	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13289558016 free_bytes_available: 13289558016 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13289558016	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13289504768 free_bytes_available: 13289504768 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13289504768	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13289340928 free_bytes_available: 13289340928 root_path: C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94 total_number_of_bytes: 13289340928	1	1	0
GetDiskFreeSpaceExW Sept. 11, 2023, 5:54 p.m.	total_number_of_free_bytes: 13280546816 free_bytes_available: 13280546816 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceW Sept. 11, 2023, 5:54 p.m.	number_of_free_clusters: 3242321 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0

Creates executable files on the filesystem (14 events)

file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.ShellExtension.x64.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\Ijwhost.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.dll
file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\lzmaextractor.dll
file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\NetFirewall.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive_2023.9.0_x64.msi
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.Service.x64.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.exe
file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\ExternalUICleaner.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\1042.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\CBFS6Net.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.Service.x64.exe
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\WebView2Loader.dll
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\DCDAD94\RaiDrive.ThumbnailHandler.x64.dll

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\lzmaextractor.dll
file	C:\Users\test22\AppData\Local\Temp\MSIBD4.tmp
file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\NetFirewall.dll
file	C:\Users\test22\AppData\Local\Temp\MSIF751.tmp
file	C:\Users\test22\AppData\Local\Temp\AI_EXTUI_BIN_2620\ExternalUICleaner.dll
file	C:\Users\test22\AppData\Local\Temp\MSIC23.tmp
file	C:\Users\test22\AppData\Roaming\OpenBoxLab Inc\RaiDrive 2023.9.0\install\1042.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (15 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1	0
LookupPrivilegeValueW Sept. 11, 2023, 5:54 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1	0

One or more of the buffers contains an embedded PE file (7 events)

buffer	Buffer with sha1: c8a8f50fef2da1ff14fc05e5575d413a71ec1b59
buffer	Buffer with sha1: 4d7c6188e8511d404f396606704d7435fc6e5bdc
buffer	Buffer with sha1: 15a585735ab8b84d360c452f9a6a5dc82bc565fc
buffer	Buffer with sha1: 44df056aed0ec7bae033b8ddfa83fab11bf86f5d
buffer	Buffer with sha1: f0ee0fd1a9ff84c8cfd65226718c571eef7d9158
buffer	Buffer with sha1: e634119f736176722972231bdb38c700ff7d8d78
buffer	Buffer with sha1: a4ff08c0f5fb89d7ecfe2b9a30989a023cc66231

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.Common.79D72EA8
McAfee	Artemis!A523A20F9993
VirIT	Trojan.Win32.Genus.SYR
Cyren	W32/ABRisk.GKZB-3860
Avast	Win32:Malware-gen
Zillya	Downloader.Banload.Win32.103708
McAfee-GW-Edition	Artemis
Jiangmin	Trojan.Agent.eqdq
Google	Detected
Antiy-AVL	Trojan/Win32.Agentb
Gridinsoft	Trojan.Win32.Agent.oa!s1
Rising	Trojan.Generic@AI.100 (RDML:/K0sMetBopRYQVTP4fhFtQ)
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS