Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 2, 2024, 6:38 p.m.	March 2, 2024, 6:41 p.m.

Size	293.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`83c6f7d8026e3b966329e8c39a2c9e73`
SHA256	`d963392aa3f2cfe80e55734fdb2e7db55b99309935031e6c7a034cca62ffd3c9`
CRC32	`2DEBC70F`
ssdeep	`3072:D3Q9NpCJxUNtjipXFi+PlZlKG6ZEhGFUx+3Ynlhs34jljeLnCQS:DmNMUNdiyoKcwxIwASA`
PDB Path	C:\Users\Administrator\Documents\Work\DemProject\Output\Loader\Release\Loader_Release_Win32.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

laryyyyy.exe "C:\Users\test22\AppData\Local\Temp\laryyyyy.exe"
2536
- cmd.exe cmd /c "C:\Users\test22\AppData\Roaming\Demm\launch.bat"
  2692
  - PING.EXE ping -n 2 127.0.0.1
    2752
  - client.exe "C:\Users\test22\AppData\Roaming\Demm\client.exe"
    2812

Name	Response	Post-Analysis Lookup
jelepenorocks.com	A 54.39.152.114	54.39.152.114

IP Address	Status	Action
164.124.101.2	Active	Moloch
54.39.152.114	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 2, 2024, 6:39 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 2, 2024, 6:38 p.m.			0	0
IsDebuggerPresent March 2, 2024, 6:38 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: C:\Users\test22\AppData\Roaming\Demm> console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: ping console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: -n 2 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: C:\Users\test22\AppData\Roaming\Demm> console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:38 p.m.	buffer: "" "C:\Users\test22\AppData\Roaming\Demm\client.exe" console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:39 p.m.	buffer: C:\Users\test22\AppData\Roaming\Demm> console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:39 p.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:39 p.m.	buffer: "C:\Users\test22\AppData\Roaming\Demm\launch.bat" console_handle: 0x00000007	1	1
WriteConsoleW March 2, 2024, 6:39 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Documents\Work\DemProject\Output\Loader\Release\Loader_Release_Win32.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 2, 2024, 6:38 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 2, 2024, 6:38 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory March 2, 2024, 6:38 p.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Demm\client.exe
file	C:\Users\test22\AppData\Roaming\Demm\curl.exe
file	C:\Users\test22\AppData\Roaming\Demm\launch.bat

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\Demm\launch.bat
file	C:\Users\test22\AppData\Roaming\Demm\client.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Demm\curl.exe

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping -n 2 127.0.0.1

Connects to an IRC server, possibly part of a botnet

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2692 resumed a thread in remote process 2812
NtResumeThread March 2, 2024, 6:39 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2812	1	0	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.Agentb.X!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.NetLoader.dh
ALYac	Gen:Variant.Jaik.146768
Cylance	unsafe
VIPRE	Gen:Variant.Jaik.146768
Sangfor	Trojan.Win32.Agent.Vdsj
BitDefender	Gen:Variant.Jaik.146768
Arcabit	Trojan.Jaik.D23D50
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.HNR
McAfee	Artemis!83C6F7D8026E
Kaspersky	HEUR:Trojan.Win32.Agentb.gen
Alibaba	TrojanDownloader:Win32/Generic.2b68bae0
MicroWorld-eScan	Gen:Variant.Jaik.146768
Emsisoft	Gen:Variant.Jaik.146768 (B)
F-Secure	Trojan.TR/Dldr.Agent.ffafq
TrendMicro	Trojan.Win32.AMADEY.YXEB3Z
FireEye	Gen:Variant.Jaik.146768
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.Agent
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Dldr.Agent.ffafq
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win32.Phonzy
Kingsoft	Win32.Trojan.Agentb.a
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan.Win32.Agentb.gen
GData	Gen:Variant.Jaik.146768
BitDefenderTheta	Gen:NN.ZexaE.36744.suW@aK5ZIjii
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEB3Z
Fortinet	W32/PossibleThreat
CrowdStrike	win/malicious_confidence_100% (W)

laryyyyy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All