Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 11, 2023, 6:06 p.m.	Sept. 11, 2023, 6:09 p.m.

Size	339.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`e99e9e9e9e864b38fc75f29b54771c86`
SHA256	`f6f14e614582f94e97f29dc96c69fa61767fd2f6bf5798ad96a7e3c34f189db7`
CRC32	`F2572838`
ssdeep	`6144:/Ya6LnWEpx6RA6WMbDBBITWgu1I9Nt2M1KGJbsp8Yv5scXsT4Yr/M3/Nvbnpn:/YRf/KDsTWggI9Ntf1KPys2Fedjpn`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

Outstanding Balance Invoice.exe "C:\Users\test22\AppData\Local\Temp\Outstanding Balance Invoice.exe"
1636
- fxvvha.exe "C:\Users\test22\AppData\Local\Temp\fxvvha.exe"
  2192
  - fxvvha.exe "C:\Users\test22\AppData\Local\Temp\fxvvha.exe"
    1376

Name	Response	Post-Analysis Lookup
www.houtaijiaju.com	A 206.237.167.5	206.237.167.5
www.ronikonmet.online	A 194.58.112.174	194.58.112.174
www.ozu-sushi.com	A 199.59.243.224	199.59.243.224
www.admiralx-qjff.buzz	A 172.67.172.5 A 104.21.79.241	172.67.172.5
www.saintprojetdesalers.com	A 103.224.182.252	103.224.182.252
www.innovativefewsustra.com	A 199.21.76.77	199.21.76.77
www.aboutmart.info	A 66.29.149.4	66.29.149.4
www.hummall.com	A 192.187.101.110 CNAME hummall.com	192.187.101.110
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
103.224.182.252	Active	Moloch
164.124.101.2	Active	Moloch
172.67.172.5	Active	Moloch
192.187.101.110	Active	Moloch
194.58.112.174	Active	Moloch
199.21.76.77	Active	Moloch
199.59.243.224	Active	Moloch
206.237.167.5	Active	Moloch
45.33.6.223	Active	Moloch
66.29.149.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49182 -> 172.67.172.5:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 172.67.172.5:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 192.168.56.102:49181 -> 172.67.172.5:80	2032991	ET INFO HTTP Request to a *.buzz domain	Potentially Bad Traffic
TCP 199.21.76.77:80 -> 192.168.56.102:49185	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 11, 2023, 6:06 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (17 events)

request	POST http://www.houtaijiaju.com/stcf/
request	GET http://www.houtaijiaju.com/stcf/?RMuHL=1dqEu7FqG0Fk44M2SsORztBhqeVPz5dcffezXnqN6lUv5lMi6TOQp3fd1b+R5p9IBvl5i/IMrCH65j4DnfcQMtwjHinribTwYdLVWxQ=&J8=1fA1FL4
request	GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip
request	POST http://www.saintprojetdesalers.com/stcf/
request	GET http://www.saintprojetdesalers.com/stcf/?RMuHL=+e/LxL8BCb5JT2mwgKzbp1bNGh3lgePyU3D6l90SLvlYtUAerZBoaAu+StBCYI+EmdbaVLlpQ9qQs+tY0i0hLe/6ntyVXpS6CIyxXlk=&J8=1fA1FL4
request	POST http://www.ronikonmet.online/stcf/
request	GET http://www.ronikonmet.online/stcf/?RMuHL=uecC1YIjKds5pfO1EToES15TCdBTvi7vIYoUJgTFy6qDYT2nEUgo5MyoghBmj6FTuqUN6uVJE1bE0H4aXubCPUG1zI5pjeamkbBuCmA=&J8=1fA1FL4
request	POST http://www.hummall.com/stcf/
request	GET http://www.hummall.com/stcf/?RMuHL=Nk5K1Xbn5LNktyygdQF3BnmJ+burJ+ny2OkZcNPXdwEtJdOtq79vPWmp/B6BaLcWj3tVzmTo+5PqGZIC/UTM1vSFnsb91g1hVUGRl4c=&J8=1fA1FL4
request	POST http://www.admiralx-qjff.buzz/stcf/
request	GET http://www.admiralx-qjff.buzz/stcf/?RMuHL=/cN5NAnYyQNGkv6VI4g5hCl6zLANo+Uxyk0R0Gf4W9JvbRZK1NaF3DJOi9LLfoZAma38Eec3ft5h7udphOb57G+0pUhbPZipWhAdHO0=&J8=1fA1FL4
request	POST http://www.innovativefewsustra.com/stcf/
request	GET http://www.innovativefewsustra.com/stcf/?RMuHL=KMOD9sTNx2YSpovUrRJUEzn1Yx0Z43DK6JEh/zvUzYRR0vvq/o2vdjVBrU8HPW3QMgYOZkgxf1P3X+8HybL4wtlflHnPghnD15Ngsf8=&J8=1fA1FL4
request	POST http://www.aboutmart.info/stcf/
request	GET http://www.aboutmart.info/stcf/?RMuHL=U3Hdzf4+NthdwoRpHnYAtQn3xNbqAVbGixRD45JbkQ2tjCPrd668asZ32u/Z/WUAQbK0mo64IDMrfMoRJRydMFx21uDMy5x8Dc/xGxo=&J8=1fA1FL4
request	POST http://www.ozu-sushi.com/stcf/

Sends data using the HTTP POST Method (8 events)

request	POST http://www.houtaijiaju.com/stcf/
request	POST http://www.saintprojetdesalers.com/stcf/
request	POST http://www.ronikonmet.online/stcf/
request	POST http://www.hummall.com/stcf/
request	POST http://www.admiralx-qjff.buzz/stcf/
request	POST http://www.innovativefewsustra.com/stcf/
request	POST http://www.aboutmart.info/stcf/
request	POST http://www.ozu-sushi.com/stcf/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 11, 2023, 6:06 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2023, 6:06 p.m.	process_identifier: 2192 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2023, 6:06 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 11, 2023, 6:06 p.m.	process_identifier: 1376 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\fxvvha.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\fxvvha.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\fxvvha.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 11, 2023, 6:06 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2192 called NtSetContextThread to modify thread in remote process 1376
NtSetContextThread Sept. 11, 2023, 6:06 p.m.	registers.eip: 2001207748 registers.esp: 3341248 registers.edi: 0 registers.eax: 4199904 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000dc process_identifier: 1376	1	0	0

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\Outstanding Balance Invoice.exe

Generates some ICMP traffic

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.Garf.Gen.7
FireEye	Generic.mg.e99e9e9e9e864b38
ALYac	Trojan.NSISX.Spy.Gen.24
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (D)
Arcabit	Trojan.Garf.Gen.7 [many]
BitDefenderTheta	Gen:NN.ZexaF.36662.juW@aWmTnjoi
Cyren	W32/Ninjector.JO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	VHO:Trojan.Win32.Strab.gen
BitDefender	Trojan.Garf.Gen.7
Avast	FileRepMalware [Trj]
Emsisoft	Trojan.Garf.Gen.7 (B)
VIPRE	Trojan.Garf.Gen.7
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Trapmine	malicious.moderate.ml.score
Sophos	Generic ML PUA (PUA)
Ikarus	Trojan.Win32.Injector
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	VHO:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
AhnLab-V3	Infostealer/Win.Generic.R572994
MAX	malware (ai score=81)
VBA32	BScope.Trojan.Strab
Rising	Trojan.Generic@AI.98 (RDML:Idko+9gJybsg4ebDRN6Ppg)
SentinelOne	Static AI - Suspicious PE
Fortinet	NSIS/Injector.ETGJ!tr
AVG	FileRepMalware [Trj]
DeepInstinct	MALICIOUS

Outstanding Balance Invoice.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All