Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.04 10:07
moon.txt.exe
07.04 10:07
okeydookietrational.tx...
07.04 10:07
streamer.exe
07.04 10:07
file_2n4kbwex.dbr.txt.ps1
07.04 09:07
file_5jjhn5s1.zo4.txt.ps1
07.04 09:07
file_iet2mvl3.idw.txt.ps1
07.04 09:07
file_01ntx0mv.bfk.txt.ps1
07.04 09:07
new-image_v.jpg.exe
07.04 09:07
file_xmomibuj.x4j.txt.ps1
07.04 09:07
ORES.txt.exe

Latest News
07.04 10:07
[부고] 제이커넥트 이기복 대표 모친상
07.04 10:07
New Open SSH Vulnerabi...
07.04 09:07
WordPress User Enumera...
07.04 08:07
Smashing Security podc...
07.04 07:07
ECMAScript 2024 JavaSc...
07.04 07:07
The AI Fix #5: An angr...
07.04 07:07
It’s Time For Lawmaker...
07.04 07:07
Securing Supply Chains...
07.04 07:07
Emulating the Sabotage...
07.04 07:07
Threat Hunting Worksho...

Summary | ZeroBOX

setup.rar

KeyLogger PWS Escalate priviledges AntiVM AntiDebug

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 3, 2023, 5:35 p.m.	Nov. 3, 2023, 5:37 p.m.

Size	30.4MB
Type	RAR archive data, v5
MD5	`d7b36686b22ecf8da8c34bf6d55ad331`
SHA256	`9ccaee42c525cbfa332db514830fa41ac78f0da4f8bd6e7b94574cff5e508822`
CRC32	`3AF59954`
ssdeep	`786432:TB6Iwor817zo6k+RLEx4kbFoFgj7BOey2AjcmdysuF:lHLg17zoKoxNAgjVOIodysuF`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "wAgnfPhXuGjM" C:\Users\test22\AppData\Local\Temp\setup.rar
3040
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\setup.rar"
  2228

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34	23.67.53.17
ironhost.io	A 104.21.57.237 A 172.67.193.129	172.67.193.129

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.193.129	Active	Moloch
208.67.104.60	Active	Moloch
61.111.58.34	Active	Moloch
91.92.243.151	Active	Moloch
94.142.138.113	Active	Moloch
94.142.138.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49180 -> 91.92.243.151:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49181 -> 172.67.193.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49181 172.67.193.129:443	C=US, O=Let's Encrypt, CN=E1	CN=ironhost.io	bf:96:55:fe:92:31:2c:3b:86:d9:a5:21:ac:2a:4c:b7:56:b7:9e:19

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 3, 2023, 5:35 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 3, 2023, 5:35 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://91.92.243.151/api/tracemap.php

Performs some HTTP requests (2 events)

request	GET http://91.92.243.151/api/tracemap.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 3, 2023, 5:35 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 3, 2023, 5:35 p.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721c3000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (13 events)

file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\RenoirCore.WindowsDesktop — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Setup.exe
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\lgc_api — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\RenoirCore.WindowsDesktop.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\aadtb — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\vivoxsdk.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\lgc_api.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\vivoxsdk — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\ResIL — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\dbghelp — копия.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\dbghelp.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\ResIL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE4B879236\Templates\aadtb.dll

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 3, 2023, 5:35 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Nov. 3, 2023, 5:35 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	PWS Memory				rule	Generic_PWS_Memory_Zero
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep
description	Run a KeyLogger				rule	KeyLogger

Communicates with host for which no DNS query was performed (4 events)

host	208.67.104.60
host	91.92.243.151
host	94.142.138.113
host	94.142.138.131

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	208.67.104.60:80
dead_host	192.168.56.102:49183