Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 22, 2024, 11:48 a.m.	Feb. 22, 2024, 11:52 a.m.

Size	3.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75484c429d668b95a287bde3ebb46fc8`
SHA256	`ec36ebae6ef6f254f20c4a444c17db05be30a0acbbaf33f5f568608a38452d7c`
CRC32	`874150E2`
ssdeep	`49152:kqSp+PMNVDyr1xqLjhZzYhiSwMmNnuwYN1GCJZZ6ev3EHbfUFr6P:kZp+kLD4TqLjfLFCDJZZnEMFWP`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format OS_Processor_Check_Zero - OS Processor Check

RuntimeBroker.exe "C:\Users\test22\AppData\Local\Temp\RuntimeBroker.exe"
1440

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
89.39.107.226	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 89.39.107.226:21 -> 192.168.56.103:49164	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 22, 2024, 11:48 a.m.	stacktrace: @@Unit2@Finalize+0xb32d8 ___setRaiseListFuncAddr-0x2822c8 runtimebroker+0xc16f8 @ 0xb716f8 @@Unit2@Finalize+0xb32d8 ___setRaiseListFuncAddr-0x2822c8 runtimebroker+0xc16f8 @ 0xb716f8 @@Unit2@Finalize+0x1f907e ___setRaiseListFuncAddr-0x13c522 runtimebroker+0x20749e @ 0xcb749e @@Unit2@Finalize+0xc73fe ___setRaiseListFuncAddr-0x26e1a2 runtimebroker+0xd581e @ 0xb8581e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a @@Unit2@Finalize+0x25b308 ___setRaiseListFuncAddr-0xda298 runtimebroker+0x269728 @ 0xd19728 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3399300 registers.edi: 3405264 registers.eax: 3399300 registers.ebp: 3399380 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 7	1	0	0
__exception__ Feb. 22, 2024, 11:48 a.m.	stacktrace: @@Unit2@Finalize+0x314bdf ___setRaiseListFuncAddr-0x209c1 runtimebroker+0x322fff @ 0xdd2fff @@Unit2@Finalize+0x2dc95a ___setRaiseListFuncAddr-0x58c46 runtimebroker+0x2ead7a @ 0xd9ad7a @@Unit2@Finalize+0x315aaf ___setRaiseListFuncAddr-0x1faf1 runtimebroker+0x323ecf @ 0xdd3ecf @@Unit2@Finalize+0x2f4fb5 ___setRaiseListFuncAddr-0x405eb runtimebroker+0x3033d5 @ 0xdb33d5 @@Unit2@Finalize+0x315a1a ___setRaiseListFuncAddr-0x1fb86 runtimebroker+0x323e3a @ 0xdd3e3a @@Unit2@Finalize+0x315b14 ___setRaiseListFuncAddr-0x1fa8c runtimebroker+0x323f34 @ 0xdd3f34 @@Unit2@Finalize+0x2f27d3 ___setRaiseListFuncAddr-0x42dcd runtimebroker+0x300bf3 @ 0xdb0bf3 @@Unit2@Finalize+0x2eede8 ___setRaiseListFuncAddr-0x467b8 runtimebroker+0x2fd208 @ 0xdad208 __dbk_fcall_wrapper+0x7a88 @$xp$6TForm2-0x3648 runtimebroker+0xad90 @ 0xabad90 @@Unit2@Finalize+0x1f907e ___setRaiseListFuncAddr-0x13c522 runtimebroker+0x20749e @ 0xcb749e @@Unit2@Finalize+0xc73fe ___setRaiseListFuncAddr-0x26e1a2 runtimebroker+0xd581e @ 0xb8581e gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a @@Unit2@Finalize+0x25b308 ___setRaiseListFuncAddr-0xda298 runtimebroker+0x269728 @ 0xd19728 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3398788 registers.edi: 36562864 registers.eax: 3398788 registers.ebp: 3398868 registers.edx: 0 registers.ebx: 37044496 registers.esi: 1 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Feb. 22, 2024, 11:48 a.m.

stacktrace:

@@Unit2@Finalize+0xb32d8 ___setRaiseListFuncAddr-0x2822c8 runtimebroker+0xc16f8 @ 0xb716f8
@@Unit2@Finalize+0xb32d8 ___setRaiseListFuncAddr-0x2822c8 runtimebroker+0xc16f8 @ 0xb716f8
@@Unit2@Finalize+0x1f907e ___setRaiseListFuncAddr-0x13c522 runtimebroker+0x20749e @ 0xcb749e
@@Unit2@Finalize+0xc73fe ___setRaiseListFuncAddr-0x26e1a2 runtimebroker+0xd581e @ 0xb8581e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
@@Unit2@Finalize+0x25b308 ___setRaiseListFuncAddr-0xda298 runtimebroker+0x269728 @ 0xd19728

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3399300
registers.edi: 3405264
registers.eax: 3399300
registers.ebp: 3399380
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 7

__exception__

Feb. 22, 2024, 11:48 a.m.

stacktrace:

@@Unit2@Finalize+0x314bdf ___setRaiseListFuncAddr-0x209c1 runtimebroker+0x322fff @ 0xdd2fff
@@Unit2@Finalize+0x2dc95a ___setRaiseListFuncAddr-0x58c46 runtimebroker+0x2ead7a @ 0xd9ad7a
@@Unit2@Finalize+0x315aaf ___setRaiseListFuncAddr-0x1faf1 runtimebroker+0x323ecf @ 0xdd3ecf
@@Unit2@Finalize+0x2f4fb5 ___setRaiseListFuncAddr-0x405eb runtimebroker+0x3033d5 @ 0xdb33d5
@@Unit2@Finalize+0x315a1a ___setRaiseListFuncAddr-0x1fb86 runtimebroker+0x323e3a @ 0xdd3e3a
@@Unit2@Finalize+0x315b14 ___setRaiseListFuncAddr-0x1fa8c runtimebroker+0x323f34 @ 0xdd3f34
@@Unit2@Finalize+0x2f27d3 ___setRaiseListFuncAddr-0x42dcd runtimebroker+0x300bf3 @ 0xdb0bf3
@@Unit2@Finalize+0x2eede8 ___setRaiseListFuncAddr-0x467b8 runtimebroker+0x2fd208 @ 0xdad208
__dbk_fcall_wrapper+0x7a88 @$xp$6TForm2-0x3648 runtimebroker+0xad90 @ 0xabad90
@@Unit2@Finalize+0x1f907e ___setRaiseListFuncAddr-0x13c522 runtimebroker+0x20749e @ 0xcb749e
@@Unit2@Finalize+0xc73fe ___setRaiseListFuncAddr-0x26e1a2 runtimebroker+0xd581e @ 0xb8581e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755f62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755f77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755f788a
@@Unit2@Finalize+0x25b308 ___setRaiseListFuncAddr-0xda298 runtimebroker+0x269728 @ 0xd19728

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3398788
registers.edi: 36562864
registers.eax: 3398788
registers.ebp: 3398868
registers.edx: 0
registers.ebx: 37044496
registers.esi: 1
registers.ecx: 7

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://89.39.107.226/?connect=try
suspicious_features	Connection to IP address	suspicious_request	GET http://89.39.107.226/?connect=try&action=refresh
suspicious_features	Connection to IP address	suspicious_request	GET http://89.39.107.226/?connect=logs&data=LAUNCH

Performs some HTTP requests (3 events)

request	GET http://89.39.107.226/?connect=try
request	GET http://89.39.107.226/?connect=try&action=refresh
request	GET http://89.39.107.226/?connect=logs&data=LAUNCH

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 22, 2024, 11:48 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

89.39.107.226

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Feb. 22, 2024, 11:48 a.m.	ordinal: 0 function_address: 0x00ab2dd4 function_name: wine_get_version module: ntdll module_address: 0x778a0000		3221225785	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.Common.EB145FE2
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Dropper.wh
ALYac	Gen:Variant.Strictor.286924
Cylance	unsafe
VIPRE	Gen:Variant.Strictor.286924
Sangfor	Downloader.Win32.Agent.V8dd
K7AntiVirus	Trojan-Downloader ( 005b0a0d1 )
BitDefender	Trojan.GenericKD.71727775
K7GW	Trojan-Downloader ( 005b0a0d1 )
Arcabit	Trojan.Strictor.D460CC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/TrojanDownloader.Agent.HLS
McAfee	Artemis!75484C429D66
Avast	Win32:DropperX-gen [Drp]
Kaspersky	Trojan-Spy.Win32.Stealer.fbob
Alibaba	TrojanSpy:Win32/Stealer.06351304
MicroWorld-eScan	Trojan.GenericKD.71727775
Rising	Stealer.Agent!8.C2 (TFE:5:bLHpRFEdQiL)
Emsisoft	Trojan.GenericKD.71727775 (B)
F-Secure	Trojan.TR/Dldr.Agent.gujqj
TrendMicro	TROJ_GEN.R002C0XAL24
FireEye	Generic.mg.75484c429d668b95
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dldr.Agent.gujqj
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Spy]/Win32.Stealer
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win32.Downloader.cl
Xcitium	Malware@#1oes9mcdwsmah
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-Spy.Win32.Stealer.fbob
GData	Trojan.GenericKD.71727775
Varist	W32/ABRisk.EDTB-8334
AhnLab-V3	Trojan/Win.Generic.R627333
BitDefenderTheta	Gen:NN.ZexaF.36744.XN0@aWNhUYci
DeepInstinct	MALICIOUS
VBA32	suspected of Trojan.Downloader.gen
Malwarebytes	Trojan.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XAL24
Tencent	Malware.Win32.Gencirc.13fda0e1
Yandex	TrojanSpy.Stealer!YPOPBlWAx+k
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:DropperX-gen [Drp]

RuntimeBroker.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All