Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 10, 2023, 7:37 a.m.	Oct. 10, 2023, 7:39 a.m.

Size	586.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`4018b3beefce0db09ca018c8d99262e3`
SHA256	`2e2abfd4db12a9c2377450a9ac0fd7bc4657b235f605d1a14de3e6b5c4b65744`
CRC32	`5E7BE469`
ssdeep	`12288:aX/rNI4Lscfb85SELHgo0fxTS1EYomlp3/vQ7Pwwv4WWdcuCzgXMNRWv:aXDNI4Jw5SELHgPtS1EY7ltvQ7PPvEcI`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

shekinga2.1.exe "C:\Users\test22\AppData\Local\Temp\shekinga2.1.exe"
2544
- pwgzoxwn.exe "C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe"
  2632
  - pwgzoxwn.exe "C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe"
    2696

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
sheddy1122.ddns.net	A 103.212.81.158	103.212.81.158

IP Address	Status	Action
103.212.81.158	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 103.212.81.158:6524	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49165 103.212.81.158:6524	None	None	None

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 10, 2023, 7:37 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

sheddy1122.ddns.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 10, 2023, 7:37 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:37 a.m.	process_identifier: 2632 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 10, 2023, 7:37 a.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe
file	C:\Users\test22\AppData\Roaming\nwgclhhqav\foktpy.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000d000', u'virtual_address': u'0x0003a000', u'entropy': 6.9086671767484225, u'name': u'.rsrc', u'virtual_size': u'0x0000cf48'}

entropy

6.90866717675

description

A section with a high entropy has been found

entropy

0.619047619048

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iennrbb

reg_value

C:\Users\test22\AppData\Roaming\nwgclhhqav\foktpy.exe "C:\Users\test22\AppData\Local\Temp\pwgzoxwn.exe"

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2632 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread Oct. 10, 2023, 7:37 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4409661 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000f8 process_identifier: 2696	1	0	0

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
FireEye	Generic.mg.4018b3beefce0db0
Skyhigh	BehavesLike.Win32.Generic.hc
Sangfor	Trojan.Win32.Agent.Vpuy
CrowdStrike	win/malicious_confidence_90% (W)
K7GW	Trojan ( 0052eef11 )
K7AntiVirus	Trojan ( 0052eef11 )
BitDefenderTheta	Gen:NN.ZexaF.36738.jmW@aetEEwp
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
Avast	Win32:Evo-gen [Trj]
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Webroot	W32.Injector.Gen
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
McAfee	Artemis!4018B3BEEFCE
VBA32	BScope.Trojan.Injector
Cylance	unsafe
Rising	Trojan.Generic@AI.100 (RDML:TASy/gAfS0SoldBT3LiGKA)
Fortinet	W32/Injector.ETIY!tr
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS

shekinga2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All