Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 1, 2024, 4:53 p.m.	May 1, 2024, 4:59 p.m.

Size	6.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9fb56dd5b5beb0b9c5d0102f22373c0b`
SHA256	`a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539`
CRC32	`1568AEAA`
ssdeep	`98304:YPvEbLriWEmQfgLVPn2qQniV0kSybkHXrsfM8n1TQuDFviH345nBIvgj2dKczf:SE7iWWaVP2qeiTHkbYMyTeHcNjEKczf`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

jfesawdr.exe "C:\Users\test22\AppData\Local\Temp\jfesawdr.exe"
2068
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
  2156
  - work.exe work.exe -priverdD
    2224
    - podaw.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\podaw.exe"
      2308
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 1, 2024, 4:53 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 1, 2024, 4:53 p.m.	computer_name: TEST22-PC	1	1	0

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 1, 2024, 4:53 p.m.	process_identifier: 2308 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 1, 2024, 4:46 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\podaw.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\podaw.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\work.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\podaw.exe

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2156 resumed a thread in remote process 2224
NtResumeThread May 1, 2024, 4:53 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2224	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zenpak.tsrS
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.BAT
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Gen:Variant.Zusy.538846
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.538846
Sangfor	Spyware.Win32.Starter.Vwuz
BitDefender	Trojan.GenericKD.72585566
K7GW	Trojan ( 005aad3e1 )
K7AntiVirus	Trojan ( 005aad3e1 )
Arcabit	Trojan.Generic.D453915E
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	MSIL/Spy.Agent.ETE
Avast	Win32:Malware-gen
ClamAV	Win.Dropper.njRAT-9986242-0
Kaspersky	Trojan.BAT.Starter.sc
Alibaba	Trojan:BAT/Starter.abbec195
MicroWorld-eScan	Trojan.GenericKD.72585566
Emsisoft	Trojan.GenericKD.72585566 (B)
F-Secure	Trojan.TR/Spy.Agent.jzjgo
TrendMicro	Trojan.Win32.SMOKELOADER.YXED4Z
FireEye	Generic.mg.9fb56dd5b5beb0b9
Sophos	Mal/Generic-S
Ikarus	PUA.Hidcon
Webroot	W32.Malware.Gen
Avira	TR/Spy.Agent.jzjgo
Antiy-AVL	Trojan/BAT.Starter
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win32.Wacatac.sa
Xcitium	Malware@#318ojo15sxvy7
Microsoft	Trojan:Win32/Znyonm
ViRobot	Trojan.Win.Z.Zusy.6401863
ZoneAlarm	Trojan.BAT.Starter.sc
GData	Trojan.GenericKD.72585566
AhnLab-V3	Trojan/Win.DCRat.R635698
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXED4Z
Tencent	Bat.Trojan.Starter.Iflw
MAX	malware (ai score=83)
MaxSecure	Trojan.Malware.210104994.susgen
AVG	Win32:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan[spy]:MSIL/Generic.Gen

jfesawdr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All