Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2023, 7:13 p.m.	Sept. 14, 2023, 7:16 p.m.

Size	360.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`03e76b7a2245db6a2b342dae3fb3c7ed`
SHA256	`314b0463e6de6de56467f023dd2ddbf799d883e2e65552ddf2b87f607eedc5ae`
CRC32	`734F5182`
ssdeep	`6144:/Ya62mLcoET7vzuevY/XCOkFwUnUkYYD0k5LIb93y71avPgVIqVow:/YYmQTzwRgw9HYD7LIb9CBavP3u`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description)

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
1552
- zglacgebdr.exe "C:\Users\test22\AppData\Local\Temp\zglacgebdr.exe"
  2120
  - zglacgebdr.exe "C:\Users\test22\AppData\Local\Temp\zglacgebdr.exe"
    2192
msdt.exe "C:\Windows\SysWOW64\msdt.exe"
2256
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2728

Name	Response	Post-Analysis Lookup
www.ourservicesx.com	A 216.40.34.41	216.40.34.41
www.uoymtum.top	A 154.195.192.150	154.195.192.150
www.perros.click	CNAME perros.click A 204.93.224.69	204.93.224.69
www.qbiclesapp.com	A 74.208.236.47	74.208.236.47
www.secondwindwhisky.com	A 202.124.241.178	202.124.241.178
www.zacoin.xyz	A 203.161.62.123	203.161.62.123
www.a2slhfz002.cfd	A 43.129.73.215	43.129.73.215
www.ssongg10317.cfd	A 43.129.73.215	43.129.73.215
www.sportsstump.com	A 204.11.56.48	204.11.56.48
www.weddingkikywahyu.cloud	CNAME weddingkikywahyu.cloud A 103.147.154.191	103.147.154.191
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.scweiwei.fun	A 8.217.92.5 CNAME 0827.93cu.com	8.217.92.5

IP Address	Status	Action
103.147.154.191	Active	Moloch
154.195.192.150	Active	Moloch
164.124.101.2	Active	Moloch
202.124.241.178	Active	Moloch
203.161.62.123	Active	Moloch
204.11.56.48	Active	Moloch
204.93.224.69	Active	Moloch
216.40.34.41	Active	Moloch
43.129.73.215	Active	Moloch
45.33.6.223	Active	Moloch
74.208.236.47	Active	Moloch
8.217.92.5	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49186 -> 154.195.192.150:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 154.195.192.150:80 -> 192.168.56.103:49187	2036300	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1	Misc activity
TCP 154.195.192.150:80 -> 192.168.56.103:49187	2036301	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2	Misc activity
TCP 154.195.192.150:80 -> 192.168.56.103:49187	2036302	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3	Misc activity
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 154.195.192.150:80 -> 192.168.56.103:49186	2036300	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1	Misc activity
TCP 154.195.192.150:80 -> 192.168.56.103:49186	2036301	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2	Misc activity
TCP 154.195.192.150:80 -> 192.168.56.103:49186	2036302	ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3	Misc activity

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2023, 7:13 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Performs some HTTP requests (25 events)

request	POST http://www.sportsstump.com/nni2/
request	GET http://www.sportsstump.com/nni2/?wVaFz=l2UoVUXo95P1GT/RE8xPTifpnRTZjyM1/g+kOsSpuHT2u5208My7uqCCHUYfdsUOJgRZsnP2d1M1kh4S5YE8X1HKDXPv2YawtJW+M8k=&rFpf=v5EZSg1b
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
request	GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip
request	POST http://www.qbiclesapp.com/nni2/
request	GET http://www.qbiclesapp.com/nni2/?wVaFz=89LDaTsiZkWzd6gBV/21YNss+loVkFgZyXtDk/To0g48YA4bmacR/nAcvw/iGyK9pGJZNFi3c6NMdTKl/KVE0RS2UouuZLpiOCgaIhw=&rFpf=v5EZSg1b
request	POST http://www.zacoin.xyz/nni2/
request	GET http://www.zacoin.xyz/nni2/?wVaFz=sEFiLqOedu/Wr2Ot5yMkULrI82x+CMUFE+lSd++47bIhnRj+aidEbvZf0eRfm3yE4+S9M7OB3uE7pHgmNV2F4X8ZbIt6yxM4AAqD9XQ=&rFpf=v5EZSg1b
request	POST http://www.weddingkikywahyu.cloud/nni2/
request	GET http://www.weddingkikywahyu.cloud/nni2/?wVaFz=9NQOr4MgaB3QZsh67axLq221v81JL3P8NGpuGwYrar4dBnQ5QwJrSGL/Mo/1JjKIu/3sZn42wzGuDzn79426Sxt+w4mPhUJbed/wsfk=&rFpf=v5EZSg1b
request	POST http://www.ourservicesx.com/nni2/
request	GET http://www.ourservicesx.com/nni2/?wVaFz=Vmxsufmpf7lWWHKJQxTcHNQ9FvHyTKCO2xLDeRSHdLkcaQSVI8GmcShxskGRFwjBPY+wXGC2XVe+XqNqvykXbiRBWrk84BVZWlKRCkc=&rFpf=v5EZSg1b
request	GET http://www.perros.click/nni2/?wVaFz=CgGaY7AKLHjcZH/QkZFeNrmZ2j1K6An8c91X6ul2a3GMUcgHLmQMb4EPAJw1rkiyfFhz/DclXPrQiX2q8+M1ovriq2Knf9L4oCSoy7A=&rFpf=v5EZSg1b
request	POST http://www.uoymtum.top/nni2/
request	GET http://www.uoymtum.top/nni2/?wVaFz=6hwNmoFD3gu2karW4UjxJLXra3L5nvtyfkuGMYXP45p47zdK12BMBVJx6mGUcuj8/so2luMFngoRGONVzhxB2cGubbnSElaRbnuC+fk=&rFpf=v5EZSg1b
request	POST http://www.a2slhfz002.cfd/nni2/
request	GET http://www.a2slhfz002.cfd/nni2/?wVaFz=PSvA3LudvCkxGNFtf3im+GyDEtekXWx/rZxXbXG+gtP+N/ZqV1fm1RPMxr3lo74SJu+WpKrZHbvbK5KUKLhiLDXSos/z69KiZj9df6U=&rFpf=v5EZSg1b
request	POST http://www.secondwindwhisky.com/nni2/
request	GET http://www.secondwindwhisky.com/nni2/?wVaFz=iKfRW1ciXt50TglUdGfeOsRj4BDIH2Q5WnzwQWJpewrGhKsSH8s9ZX9/ReZgFTHgc1oUzYXB4Woca1suDXsEYfgrcX9xxz1qvJ3wN9A=&rFpf=v5EZSg1b
request	POST http://www.ssongg10317.cfd/nni2/
request	GET http://www.ssongg10317.cfd/nni2/?wVaFz=ZhBTXwYBEkQY8Pa3tyDPGuCcpBILLjftdAAA3Aemihk9RwTdGCtr0bJSRWWnaiHnvNXnRueg102nb1PHjszQEedxfXplu99+XBKTN5c=&rFpf=v5EZSg1b
request	POST http://www.scweiwei.fun/nni2/
request	GET http://www.scweiwei.fun/nni2/?wVaFz=llEYww2d3nZRJACIEPqGszpestC9fn29o7B3rbQDSq7MpQ7pmzNhgfKHy9IMAn0ze6ynChqTu+whvvhz2OQiiYNX/EdtT8Vy8qfPt/U=&rFpf=v5EZSg1b

Sends data using the HTTP POST Method (10 events)

request	POST http://www.sportsstump.com/nni2/
request	POST http://www.qbiclesapp.com/nni2/
request	POST http://www.zacoin.xyz/nni2/
request	POST http://www.weddingkikywahyu.cloud/nni2/
request	POST http://www.ourservicesx.com/nni2/
request	POST http://www.uoymtum.top/nni2/
request	POST http://www.a2slhfz002.cfd/nni2/
request	POST http://www.secondwindwhisky.com/nni2/
request	POST http://www.ssongg10317.cfd/nni2/
request	POST http://www.scweiwei.fun/nni2/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.uoymtum.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 14, 2023, 7:13 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:13 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:13 p.m.	process_identifier: 2192 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2023, 7:14 p.m.	process_identifier: 2256 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\zglacgebdr.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\zglacgebdr.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\zglacgebdr.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 14, 2023, 7:13 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 14, 2023, 7:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2120 called NtSetContextThread to modify thread in remote process 2192
NtSetContextThread Sept. 14, 2023, 7:13 p.m.	registers.eip: 2005598660 registers.esp: 3537188 registers.edi: 0 registers.eax: 4199808 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000fc process_identifier: 2192	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
DrWeb	Trojan.Inject4.61039
MicroWorld-eScan	Gen:Variant.Jaik.176195
FireEye	Generic.mg.03e76b7a2245db6a
McAfee	Artemis!03E76B7A2245
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.ins
Cybereason	malicious.26cb8c
Arcabit	Trojan.Jaik.D2B043
BitDefenderTheta	Gen:NN.ZexaF.36662.kuW@aWB!Cmci
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Jaik.176195
Avast	Win32:TrojanX-gen [Trj]
Emsisoft	Gen:Variant.Jaik.176195 (B)
McAfee-GW-Edition	BehavesLike.Win32.RealProtect.fc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/FormBook.AFB!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.176195
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R585815
MAX	malware (ai score=84)
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/GdSda.A
Rising	Trojan.Generic@AI.92 (RDML:79WrWMkV0f23MW4W/y94Yg)
SentinelOne	Static AI - Suspicious PE
Fortinet	NSIS/Injector.ETGJ!tr
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All