Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 4, 2024, 4:39 p.m.	Feb. 4, 2024, 5:11 p.m.

Size	3.3MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`353a3b4d65ce9168817e09d5090b2afa`
SHA256	`db6db1a60def0b16630069bcb9d354a963a6758966dd08dd54c07b8509ddd5d1`
CRC32	`FE2EE409`
ssdeep	`49152:iu5voq9yqVHncEylouiXCvkHDHxj9fc7wwIxHuAkXX9dSq:iu5vPVHnfyNiXCvKDHxj90VVXX9dL`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

probeDLLnocry-crypted.exe "C:\Users\test22\AppData\Local\Temp\probeDLLnocry-crypted.exe"
660
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
212.224.86.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 4, 2024, 4:39 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xdab80 registers.esp: 2227608 registers.edi: 0 registers.eax: 1971270584 registers.ebp: 2227616 registers.edx: 895872 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Potentially malicious URLs were found in the process memory dump (10 events)

url	https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
url	http://freedns.afraid.org/api/?action=getdyndns
url	https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
url	http://xred.site50.net/syn/SSLLibrary.dll
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk
url	http://xred.site50.net/syn/SUpdate.ini
url	https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
url	https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk
url	http://xred.site50.net/syn/Synaptics.rar

Yara rule detected in process memory (20 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	network_smtp_raw
description	Communications over SSL	rule	Network_SSL
description	Communications use DNS	rule	Network_DNS
description	Communications DynDns network	rule	Network_DynDns
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (1 event)

host

212.224.86.223

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 4, 2024, 4:39 p.m.	process_identifier: 932 region_size: 905216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000b4	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà Ð« ° @Ð @ B(ÆP ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc(ÆÈ¨ @P¶@P base_address: 0x00220000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x002c4000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: " base_address: 0x7efde008 process_identifier: 932 process_handle: 0x000000b4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà Ð« ° @Ð @ B(ÆP ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc(ÆÈ¨ @P¶@P base_address: 0x00220000 process_identifier: 932 process_handle: 0x000000b4	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 660 called NtSetContextThread to modify thread in remote process 932
NtSetContextThread Feb. 4, 2024, 4:39 p.m.	registers.eip: 2005598660 registers.esp: 2227708 registers.edi: 0 registers.eax: 2861952 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b0 process_identifier: 932	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 660 resumed a thread in remote process 932
NtResumeThread Feb. 4, 2024, 4:39 p.m.	thread_handle: 0x000000b0 suspend_count: 1 process_identifier: 932	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 4, 2024, 4:39 p.m.	ordinal: 0 function_address: 0x001310f8 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Feb. 4, 2024, 4:39 p.m.	thread_identifier: 1740 thread_handle: 0x000000b0 process_identifier: 932 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000b4	1	1
NtGetContextThread Feb. 4, 2024, 4:39 p.m.	thread_handle: 0x000000b0	1	0
NtAllocateVirtualMemory Feb. 4, 2024, 4:39 p.m.	process_identifier: 932 region_size: 905216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00220000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000b4	1	0
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^Bà Ð« ° @Ð @ B(ÆP ©@ !@ CODEì `DATAT.° 0 @ÀBSSåà Ð À.idataB* ,Ð @À.tls0 ü À.rdata9@ ü @P.reloc©P ªþ @P.rsrc(ÆÈ¨ @P¶@P base_address: 0x00220000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x00221000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002bb000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002be000 process_identifier: 932 process_handle: 0x000000b4		0
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002c0000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002c3000 process_identifier: 932 process_handle: 0x000000b4		0
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: 0J0JÄ°I@JSynaptics Pointing Device Driver base_address: 0x002c4000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002c5000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: base_address: 0x002d0000 process_identifier: 932 process_handle: 0x000000b4	1	1
WriteProcessMemory Feb. 4, 2024, 4:39 p.m.	buffer: " base_address: 0x7efde008 process_identifier: 932 process_handle: 0x000000b4	1	1
NtSetContextThread Feb. 4, 2024, 4:39 p.m.	registers.eip: 2005598660 registers.esp: 2227708 registers.edi: 0 registers.eax: 2861952 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000b0 process_identifier: 932	1	0
NtResumeThread Feb. 4, 2024, 4:39 p.m.	thread_handle: 0x000000b0 suspend_count: 1 process_identifier: 932	1	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.Stealerium.i!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojanpws.Stealerium
Skyhigh	BehavesLike.Win32.AdwareDealPly.wh
ALYac	Gen:Variant.Fugrafa.308622
Cylance	unsafe
VIPRE	Gen:Variant.Midie.143087
Sangfor	Infostealer.Win32.Stealerium.Vmxd
BitDefender	Gen:Variant.Midie.143087
Cybereason	malicious.1b1ef2
Arcabit	Trojan.Midie.D22EEF
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.EPPXSCD
McAfee	Artemis!353A3B4D65CE
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerium.gen
Alibaba	TrojanPSW:Win32/Stealerium.015dcf7d
MicroWorld-eScan	Gen:Variant.Midie.143087
Rising	Trojan.Generic@AI.98 (RDML:GPCktXWxgrmobBBALH4oqQ)
Emsisoft	Gen:Variant.Midie.143087 (B)
F-Secure	Trojan.TR/AD.Nekark.xrzwi
DrWeb	Trojan.Inject5.2016
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.353a3b4d65ce9168
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Google	Detected
Avira	TR/AD.Nekark.xrzwi
MAX	malware (ai score=84)
Antiy-AVL	Trojan[PSW]/Win32.Stealerium
Kingsoft	Win32.Trojan-PSW.Stealerium.gen
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Fugrafa.3429888
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerium.gen
GData	Gen:Variant.Midie.143087
AhnLab-V3	Trojan/Win.Injection.C5582587
BitDefenderTheta	Gen:NN.ZelphiF.36744.rVW@aqrh@Wo
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Inject
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014H09B224
Tencent	Malware.Win32.Gencirc.13ff9ee3
Fortinet	W32/PossibleThreat
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (W)

probeDLLnocry-crypted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All