Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2023, 4:16 p.m.	Nov. 11, 2023, 4:18 p.m.

Size	597.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6cf234dc5736dd648ea27662e2efa934`
SHA256	`06ad6fc49422d1360b84a4744d25317e5ee3a88868ff8487f975582b499ddfda`
CRC32	`D37D8BD8`
ssdeep	`12288:/Zib/imtY10IdkuLhJzoucUOgOCFegVCYQspOhU05B6JzrT4:/Zibi0Y1L3Lz6xrLdYQsUz`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

MyBot.exe "C:\Users\test22\AppData\Local\Temp\MyBot.exe"
1156
- relog.exe C:\Windows\system32\relog.exe
  2104

Name	Response	Post-Analysis Lookup
blmceii.xyz	A 213.226.100.83	213.226.100.83

IP Address	Status	Action
164.124.101.2	Active	Moloch
213.226.100.83	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2023, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2023, 4:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2023, 4:09 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:09 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:09 p.m.			0	0
IsDebuggerPresent Nov. 11, 2023, 4:09 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2023, 4:09 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 11, 2023, 4:09 p.m.	stacktrace: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x777840f2 EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77784736 RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77785942 RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x777875f4 RtlIsDosDeviceName_U+0x1420f NtdllDialogWndProc_A-0x1a55d ntdll+0x6dc8f @ 0x7772dc8f HeapFree+0xa BaseSetLastNTError-0x16 kernel32+0x2307a @ 0x76fe307a mybot+0x638e0 @ 0x1400638e0 mybot+0x885a5 @ 0x1400885a5 mybot+0x62c84 @ 0x140062c84 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00 exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 exception.instruction: jmp 0x777840f4 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 803058 exception.address: 0x777840f2 registers.r14: 0 registers.r15: 0 registers.rcx: 1241088 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1245152 registers.r11: 646 registers.r8: 1869758580595003636 registers.r9: 1507733606 registers.rdx: 2004857936 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2003630202 registers.r13: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Nov. 11, 2023, 4:10 p.m.	ip_address: 127.0.0.1 socket: 664 port: 0	1	0
listen Nov. 11, 2023, 4:10 p.m.	socket: 664 backlog: 1	1	0
accept Nov. 11, 2023, 4:10 p.m.	ip_address: socket: 664 port: 0	1	736

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST http://blmceii.xyz/cbot/blista.php
suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://blmceii.xyz/cbot/collector.php

Performs some HTTP requests (2 events)

request	POST http://blmceii.xyz/cbot/blista.php
request	POST http://blmceii.xyz/cbot/collector.php

Sends data using the HTTP POST Method (2 events)

request	POST http://blmceii.xyz/cbot/blista.php
request	POST http://blmceii.xyz/cbot/collector.php

A process attempted to delay the analysis task. (1 event)

description

relog.exe tried to sleep 153 seconds, actually delayed analysis time by 153 seconds

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 11, 2023, 4:09 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Systemservices\Winserv.exe filepath: C:\Users\test22\AppData\Local\Systemservices\Winserv.exe	1	1	0

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_Processor

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00094e00', u'virtual_address': u'0x000df000', u'entropy': 7.999580649441448, u'name': u'.rdata', u'virtual_size': u'0x00095000'}

entropy

7.99958064944

description

A section with a high entropy has been found

entropy

0.999161073826

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: b2f67b73c35459c3823b9f7d1159a0215d2f13fe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\07717ltc

reg_value

C:\Users\test22\AppData\Local\Systemservices\Winserv.exe

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 11, 2023, 4:09 p.m.	buffer: @ base_address: 0x000007fffffdc010 process_identifier: 2104 process_handle: 0x00000000000000e0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1156 called NtSetContextThread to modify thread in remote process 2104
NtSetContextThread Nov. 11, 2023, 4:09 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370229184 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092874752 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000e4 process_identifier: 2104	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1156 resumed a thread in remote process 2104
NtResumeThread Nov. 11, 2023, 4:09 p.m.	thread_handle: 0x00000000000000e4 suspend_count: 1 process_identifier: 2104	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 11, 2023, 4:09 p.m.	thread_identifier: 2108 thread_handle: 0x00000000000000e4 process_identifier: 2104 current_directory: filepath: track: 1 command_line: C:\Windows\system32\relog.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x00000000000000e0	1	1
NtMapViewOfSection Nov. 11, 2023, 4:09 p.m.	section_handle: 0x00000000000000d4 process_identifier: 2104 commit_size: 0 win32_protect: 2 (PAGE_READONLY) buffer: base_address: 0x0000000140000000 allocation_type: 0 () section_offset: 0 view_size: 1527808 process_handle: 0x00000000000000e0	1	0
NtGetContextThread Nov. 11, 2023, 4:09 p.m.	thread_handle: 0x00000000000000e4	1	0
NtSetContextThread Nov. 11, 2023, 4:09 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 5370229184 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 0 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 0 registers.rdx: 8796092874752 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x00000000000000e4 process_identifier: 2104	1	0
NtGetContextThread Nov. 11, 2023, 4:09 p.m.	thread_handle: 0x00000000000000e4	1	0
WriteProcessMemory Nov. 11, 2023, 4:09 p.m.	buffer: @ base_address: 0x000007fffffdc010 process_identifier: 2104 process_handle: 0x00000000000000e0	1	1
NtResumeThread Nov. 11, 2023, 4:09 p.m.	thread_handle: 0x00000000000000e4 suspend_count: 1 process_identifier: 2104	1	0

MyBot.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All