Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2023, 6:08 p.m.	Oct. 20, 2023, 6:12 p.m.

Size	3.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cb8a6ad517b3a3eeb0eb66d90cca43b6`
SHA256	`8553cea6af854981af81e294b86ae8ef9ce57d21b6201fb21fe9593f28269b8a`
CRC32	`FCC5530F`
ssdeep	`98304:q6XGIqDaV+DhRGSHmRgPPT5IsZDtpEz5bbd4:q9IqDaV0RGxyPLZ5pgdd4`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

shareu.exe "C:\Users\test22\AppData\Local\Temp\shareu.exe"
1460
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\start.vbs"
  2172
  - cmd.exe "C:\Windows\System32\cmd.exe" /c start.bat
    2280
    - mshta.exe mshta vbscript:createobject("wscript.shell").run("rathole client.toml",0)(window.close)
      2404
      - rathole.exe "C:\Users\test22\AppData\Local\Temp\rathole.exe" client.toml
        2556
  - cmd.exe "C:\Windows\System32\cmd.exe" /c nginx.bat
    2328
    - mshta.exe mshta vbscript:createobject("wscript.shell").run("nginx.exe",0)(window.close)
      2412
      - nginx.exe "C:\Users\test22\AppData\Local\Temp\nginx.exe"
        2580

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Oct. 20, 2023, 6:09 p.m.	buffer: nginx: [emerg] bind() to 0.0.0.0:8000 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 6:09 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Foreign language identified in PE resource (19 events)

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006906c

size

0x000015a9

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006906c

size

0x000015a9

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f0d0

size

0x000001ce

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006f9e4

size

0x0000006a

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006fa64

size

0x00000753

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Temp\start.vbs
file	C:\Users\test22\AppData\Local\Temp\rathole.exe
file	C:\Users\test22\AppData\Local\Temp\start.bat
file	C:\Users\test22\AppData\Local\Temp\nginx.bat
file	C:\Users\test22\AppData\Local\Temp\nginx.exe

Creates a suspicious process (4 events)

cmdline	mshta vbscript:createobject("wscript.shell").run("rathole client.toml",0)(window.close)
cmdline	mshta vbscript:createobject("wscript.shell").run("nginx.exe",0)(window.close)
cmdline	"C:\Windows\System32\cmd.exe" /c start.bat
cmdline	"C:\Windows\System32\cmd.exe" /c nginx.bat

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 20, 2023, 6:08 p.m.	show_type: 0 filepath_r: cmd parameters: /c start.bat filepath: cmd	1	1
ShellExecuteExW Oct. 20, 2023, 6:08 p.m.	show_type: 0 filepath_r: cmd parameters: /c nginx.bat filepath: cmd	1	1
ShellExecuteExW Oct. 20, 2023, 6:09 p.m.	show_type: 0 filepath_r: rathole parameters: client.toml filepath: rathole	1	1
ShellExecuteExW Oct. 20, 2023, 6:09 p.m.	show_type: 0 filepath_r: nginx.exe parameters: filepath: nginx.exe	1	1

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00008200', u'virtual_address': u'0x00068000', u'entropy': 7.686542966370366, u'name': u'.rsrc', u'virtual_size': u'0x000081b8'}

entropy

7.68654296637

description

A section with a high entropy has been found

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c start.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c nginx.bat
parent_process	wscript.exe	martian_process	cmd /c nginx.bat
parent_process	wscript.exe	martian_process	cmd /c start.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 2172
NtResumeThread Oct. 20, 2023, 6:08 p.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2172	1	0	0

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.wc
Malwarebytes	Malware.AI.638235587
Cybereason	malicious.a1cf75
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/Riskware.Rathole.A
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan.Win32.Runner.kyw
Rising	Hacktool.Rathole!8.18BC9 (CLOUD)
F-Secure	Trojan.TR/AD.Nekark.nutzf
FireEye	Generic.mg.cb8a6ad517b3a3ee
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
Avira	TR/AD.Nekark.nutzf
ZoneAlarm	Trojan.Win32.Runner.kyw
Microsoft	Trojan:Win32/Znyonm
McAfee	Artemis!CB8A6AD517B3
Cylance	unsafe
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_60% (W)

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

shareu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All