Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 16, 2024, 9:54 a.m.	June 16, 2024, 10:17 a.m.

Size	888.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8e4c0eeb469f011e6aea3dbd07106515`
SHA256	`624ff6d75bbbab4429dac47cee8b2f1ae95358915442021f80ded0eeb1110188`
CRC32	`6E714247`
ssdeep	`12288:2b3SYdqsagim+du0LstUe+C3r4XWSOv1kbe/7gcq6guES:K35qsDifdu0AtV+Vu7TQBS`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

163.exe "C:\Users\test22\AppData\Local\Temp\163.exe"
2548
- gdacGl.exe C:\Users\test22\AppData\Local\Temp\gdacGl.exe
  2600
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat" "
    2856
- cmd.exe /c netstat -an
  2708
  - NETSTAT.EXE netstat -an
    2768

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 44.221.84.105	44.221.84.105
smtp.163.com	A 103.129.252.45 CNAME smtp163.mail.ntes53.netease.com	103.129.252.45

IP Address	Status	Action
103.129.252.45	Active	Moloch
164.124.101.2	Active	Moloch
44.221.84.105	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.129.252.45:25 -> 192.168.56.101:49162	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\gdacGl.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\gdacGl.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

\x9cJ\xe2v\xa3u\x94

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001097f0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001097f0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

Creates executable files on the filesystem (28 events)

file	C:\Users\test22\AppData\Local\Temp\53686688.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\tmptqb9ww\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\Users\test22\AppData\Local\Temp\gdacGl.exe
file	C:\tmpuvzci8\bin\execsc.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\util\pafish.exe
file	C:\Users\test22\AppData\Local\Temp\310F2CC5.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Users\test22\AppData\Local\Temp\24E87002.exe
file	C:\Users\test22\AppData\Local\Temp\4A4212EA.exe
file	C:\Users\test22\AppData\Local\Temp\3A65357F.exe
file	C:\Users\test22\AppData\Local\Temp\5CBF6F42.exe
file	C:\tmpuvzci8\bin\inject-x86.exe
file	C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\tmptqb9ww\bin\execsc.exe
file	C:\tmpuvzci8\bin\is32bit.exe
file	C:\tmptqb9ww\bin\is32bit.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\gdacGl.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	netstat -an
cmdline	/c netstat -an

Makes SMTP requests, possibly sending spam (1 event)

receiver

[]

sender

[]

server

103.129.252.45

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\0b3f65c8.bat

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Lionic	Virus.Win32.Nimnul.n!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
ALYac	Win32.VJadtre.3
Cylance	Unsafe
VIPRE	Win32.VJadtre.3
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Virus ( 0040f7441 )
BitDefender	Win32.VJadtre.3
K7GW	Virus ( 0040f7441 )
Cybereason	malicious.b469f0
Baidu	Win32.Virus.Otwycal.d
VirIT	Win32.Nimnul.F
Symantec	W32.Wapomi.C!inf
tehtris	Generic.Malware
ESET-NOD32	Win32/Wapomi.BA
APEX	Malicious
Avast	Other:Malware-gen [Trj]
ClamAV	Win.Malware.Wapomi-10020301-0
Kaspersky	Virus.Win32.Nimnul.f
Alibaba	Trojan:Win32/Mikcer.35a
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
MicroWorld-eScan	Win32.VJadtre.3
Rising	Virus.Roue!1.9E10 (CLASSIC)
Emsisoft	Application.Generic (A)
F-Secure	Malware.W32/Jadtre.B
DrWeb	BackDoor.Darkshell.246
BitDefenderTheta	AI:FileInfector.991137D00F
TrendMicro	PE_WAPOMI.BM
McAfeeD	Real Protect-LS!8E4C0EEB469F
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.8e4c0eeb469f011e
Sophos	W32/Nimnul-A
Ikarus	Trojan.Win32.Agent
Jiangmin	Win32/Nimnul.f
Google	Detected
Avira	W32/Jadtre.B
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Nimnul.f.168959
Gridinsoft	Trojan.Win32.Gen.bot!i
Xcitium	Virus.Win32.Wali.KA@558nxg
Arcabit	Win32.VJadtre.3
ViRobot	Win32.Ramnit.F
ZoneAlarm	Virus.Win32.Nimnul.f
GData	Win32.Virus.Wapomi.A
Varist	W32/PatchLoad.E
AhnLab-V3	Win32/VJadtre.Gen
Acronis	suspicious
McAfee	W32/Kudj

163.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All