Summary | ZeroBOX

ZBzdymFh.bat

Suspicious_Script_Bin Malicious Library Downloader HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API persistence FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 7, 2023, 2:45 p.m. Oct. 7, 2023, 2:48 p.m.
Size 13.5KB
Type ASCII text, with CRLF line terminators
MD5 44fbd58c401a7786da2e8b6a6291379e
SHA256 d8b47727ea05305ad396977b336c3bfc86ae122cdde01976fa9b0c3a7c2d3f24
CRC32 B49D9752
ssdeep 192:vOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:vVODaDSHMql3yqlxy5L1xcjwrlz3
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x0000000f
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a
DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7575cdfd
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7575cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7578f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7578fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7578fb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x745276de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x7578fb9e
New_user32_MessageBoxTimeoutA@24+0x137 New_user32_MessageBoxTimeoutW@24-0x80 @ 0x74527600
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x7578fcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x7578fd36
memz+0x1479 @ 0x1121479
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x740369a8
registers.esp: 4519088
registers.edi: 0
registers.eax: 1946380712
registers.ebp: 4519128
registers.edx: 0
registers.ebx: 0
registers.esi: 1946380712
registers.ecx: 7343464
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742f2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 296
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000075b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74383000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\MEMZ.exe
file C:\Users\test22\AppData\Local\Temp\x.js
file C:\Users\test22\AppData\Roaming\MEMZ.exe
url http://pcoptimizerpro.com
url http://google.co.ck/search?q=batch
url http://google.co.ck/search?q=best
url http://google.co.ck/search?q=bonzi
url http://google.co.ck/search?q=g3t
url http://google.co.ck/search?q=stanky
url http://google.co.ck/search?q=virus
url http://google.co.ck/search?q=mcafee
url http://google.co.ck/search?q=the
url http://google.co.ck/search?q=virus.exe
url http://google.co.ck/search?q=internet
url http://google.co.ck/search?q=facebook
url http://google.co.ck/search?q=what
url http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
url http://google.co.ck/search?q=my
url http://google.co.ck/search?q=vinesauce
url http://google.co.ck/search?q=half
url http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
url http://google.co.ck/search?q=john
url http://google.co.ck/search?q=skrillex
url http://google.co.ck/search?q=minecraft
url http://google.co.ck/search?q=montage
url http://softonic.com
url http://google.co.ck/search?q=how
url http://play.clubpenguin.com
url http://google.co.ck/search?q=dank
url http://google.co.ck/search?q=is
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
file C:\Users\test22\AppData\Roaming\MEMZ.exe
Process injection Process 2200 resumed a thread in remote process 1628
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000084
suspend_count: 0
process_identifier: 1628
1 0 0
Lionic Trojan.BAT.Memz.4!c
CAT-QuickHeal BAT.Agent.FS
McAfee BAT/Dropper.e
Sangfor Trojan.Generic-BAT.Save.6fddfff7
Arcabit Generic.Zmem.1.A4BD8DA5
Cyren BAT/Agent.AGE
Symantec Trojan.Gen.MBT
ESET-NOD32 BAT/TrojanDropper.Agent.NCY
Avast Other:Malware-gen [Trj]
Cynet Malicious (score: 99)
Kaspersky Trojan.BAT.Memz.b
BitDefender Generic.Zmem.1.A4BD8DA5
NANO-Antivirus Trojan.Script.Dropper.hkfymg
MicroWorld-eScan Generic.Zmem.1.A4BD8DA5
Tencent Unk.Win32.Script.403928
Emsisoft Trojan.Memz (A)
F-Secure Malware.HTML/ExpKit.Gen2
DrWeb Trojan.KillAll.143
VIPRE Generic.Zmem.1.A4BD8DA5
McAfee-GW-Edition BAT/Dropper.e
FireEye Generic.Zmem.1.A4BD8DA5
Sophos Troj/BatDrp-AA
Ikarus Trojan-Dropper.BAT.Agent
Jiangmin Trojan.BAT.Memz.a
Avira HTML/ExpKit.Gen2
Kingsoft Script.Ks.Malware.17099
Xcitium Malware@#10ov8inbnn3yr
Microsoft TrojanDropper:BAT/Starter.G!MSR
ZoneAlarm Trojan.BAT.Memz.b
GData Generic.Zmem.1.A4BD8DA5
Google Detected
ALYac Generic.Zmem.1.A4BD8DA5
Rising Dropper.Agent/BAT!1.CE50 (CLASSIC)
MAX malware (ai score=84)
Fortinet BAT/Agent.NCY!tr
AVG Other:Malware-gen [Trj]