Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 23, 2023, 9:36 a.m.	Sept. 23, 2023, 9:43 a.m.

Size	456.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c5c64755f463c91c92f516b3214c5b37`
SHA256	`57939197bad88b1f26555826a1de37b5527483a5583745cd614aff349cb41ea4`
CRC32	`1F1C7F65`
ssdeep	`6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+g:2uWP/BZUyoLu8Agsmxwrvejkd2`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

rh_0.4.9rc1.exe "C:\Users\test22\AppData\Local\Temp\rh_0.4.9rc1.exe"
2552
certreq.exe "C:\Windows\system32\certreq.exe"
2732

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
94.131.112.209	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 23, 2023, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 23, 2023, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 23, 2023, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 23, 2023, 9:36 a.m.	computer_name: TEST22-PC	1	1

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 23, 2023, 9:29 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_RtlAddVectoredExceptionHandler+0x20 New_ntdll_RtlCompressBuffer-0xed @ 0x73996340 0x920ee 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 1176824 registers.rsi: 20 registers.r10: 0 registers.rbx: 1 registers.rsp: 1178848 registers.r11: 596580 registers.r8: 64 registers.r9: 4295073792 registers.rdx: 1178168 registers.r12: 599640 registers.rbp: 4295073792 registers.rdi: 4294774800 registers.rax: 1176504 registers.r13: 591256	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 23, 2023, 9:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2023, 9:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4141056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ad000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2023, 9:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f70000 process_handle: 0xffffffff	1

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_Processor

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 23, 2023, 9:36 a.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003c0000 process_handle: 0xffffffff	1	0	0

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

94.131.112.209

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Sept. 23, 2023, 9:36 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Sept. 23, 2023, 9:36 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.Common.FF4E5B83
Lionic	Trojan.Win32.Mansabo.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Packed2.45463
MicroWorld-eScan	Gen:Variant.Zusy.477514
FireEye	Generic.mg.c5c64755f463c91c
McAfee	GenericRXWG-VG!C5C64755F463
Cylance	unsafe
Zillya	Trojan.Mansabo.Win32.2384
Sangfor	Trojan.Win32.Mansabo.Vz74
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Mansabo.b4bada03
K7GW	Trojan ( 005a8ce81 )
K7AntiVirus	Trojan ( 005a8ce81 )
Arcabit	Trojan.Zusy.D7494A
VirIT	Trojan.Win32.Genus.SDD
Cyren	W32/Kryptik.KPI.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HTRB
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.Mansabo.hqj
BitDefender	Gen:Variant.Zusy.477514
NANO-Antivirus	Trojan.Win32.Mansabo.jxjfbc
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bf0c0b
Emsisoft	Gen:Variant.Zusy.477514 (B)
F-Secure	Trojan.TR/Crypt.Agent.dkjer
VIPRE	Gen:Variant.Zusy.477514
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXDITZ
McAfee-GW-Edition	BehavesLike.Win32.Dropper.gm
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Crypt
Jiangmin	Trojan.Mansabo.cjo
Avira	TR/Crypt.Agent.dkjer
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Kryptik
Gridinsoft	Malware.Win32.Gen.bot
Microsoft	Trojan:Win32/Mansabo.MY!MTB
ViRobot	Trojan.Win.Z.Mansabo.466944.DSJ
ZoneAlarm	Trojan.Win32.Mansabo.hqj
GData	Gen:Variant.Zusy.477514
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5457006
VBA32	Trojan.Mansabo
ALYac	Gen:Variant.Zusy.477514
TACHYON	Trojan/W32.Mansabo.466944.C
Malwarebytes	Trojan.Crypt
Panda	Trj/CI.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (12 events)

dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	94.131.112.209:9856
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49172

rh_0.4.9rc1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All