Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 9:54 a.m.	June 16, 2024, 10:28 a.m.

Size	888.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`777396c8d1529dad186a2e954ab9a40c`
SHA256	`78dce046c6d8027465335ac9b06d7ae1667a8e08b011543166582cd2593f80b7`
CRC32	`0FD8AEA8`
ssdeep	`12288:Y5lnzYdqsagim+du0LstUe+C3r4XWSOv1kbe/7gcq6gubS:2lOqsDifdu0AtV+Vu7TQqS`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

12121212121.exe "C:\Users\test22\AppData\Local\Temp\12121212121.exe"
792
- xnFztA.exe C:\Users\test22\AppData\Local\Temp\xnFztA.exe
  2068
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\19ac3a07.bat" "
    2316
- cmd.exe /c netstat -an
  2188
  - NETSTAT.EXE netstat -an
    2248

Name	Response	Post-Analysis Lookup
ddos.dnsnb8.net	A 44.221.84.105	44.221.84.105
smtp.163.com	A 103.129.252.45 CNAME smtp163.mail.ntes53.netease.com	103.129.252.45

IP Address	Status	Action
103.129.252.45	Active	Moloch
164.124.101.2	Active	Moloch
44.221.84.105	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 103.129.252.45:25 -> 192.168.56.103:49162	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\xnFztA.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: exist "C:\Users\test22\AppData\Local\Temp\xnFztA.exe" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: goto console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: :DELFILE console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: del console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: "C:\Users\test22\AppData\Local\Temp\19ac3a07.bat" console_handle: 0x00000007	1	1
WriteConsoleW June 16, 2024, 9:54 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

\x93J\xec\xb9\xa3uZ

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TEXTINCLUDE

Foreign language identified in PE resource (50 out of 51 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00106c20

size

0x00000151

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00107110

size

0x000000b4

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00108818

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001097f0

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001097f0

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010aa38

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b480

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b4cc

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0010b534

size

0x00000014

Creates executable files on the filesystem (35 events)

file	C:\Users\test22\AppData\Local\Temp\12DF765D.exe
file	C:\Users\test22\AppData\Local\Temp\2F5934A0.exe
file	C:\Users\test22\AppData\Local\Temp\7D6230E0.exe
file	C:\Program Files (x86)\7-Zip\7zFM.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\tmpvmqcut\bin\inject-x86.exe
file	C:\Python27\Lib\site-packages\setuptools\cli-32.exe
file	C:\Program Files (x86)\Hnc\PDF80\x86\HNCE2PPRCONV80.exe
file	C:\tmp6o6lvv\bin\execsc.exe
file	C:\Program Files\7-Zip\Uninstall.exe
file	C:\Users\test22\AppData\Local\Temp\740C2826.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\t32.exe
file	C:\Users\test22\AppData\Local\Temp\06B9399A.exe
file	C:\Python27\Lib\site-packages\pip\_vendor\distlib\w32.exe
file	C:\Program Files (x86)\7-Zip\7z.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\Users\test22\AppData\Local\Temp\19ac3a07.bat
file	C:\util\pafish.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Python27\Lib\site-packages\setuptools\cli.exe
file	C:\tmp6o6lvv\bin\inject-x86.exe
file	C:\Program Files (x86)\7-Zip\7zG.exe
file	C:\Program Files (x86)\Hnc\PDF80\x64\HNCE2PPRCONV80.exe
file	C:\Python27\Lib\site-packages\setuptools\gui-32.exe
file	C:\Users\test22\AppData\Local\Temp\5B09771D.exe
file	C:\Users\test22\AppData\Local\Temp\4BD372E3.exe
file	C:\Users\test22\AppData\Local\Temp\38B03D5A.exe
file	C:\tmpvmqcut\bin\is32bit.exe
file	C:\tmp6o6lvv\bin\is32bit.exe
file	C:\Users\test22\AppData\Local\Temp\26032BE6.exe
file	C:\tmpvmqcut\bin\execsc.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Program Files (x86)\7-Zip\Uninstall.exe
file	C:\Python27\Lib\site-packages\setuptools\gui.exe
file	C:\Users\test22\AppData\Local\Temp\xnFztA.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\19ac3a07.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\xnFztA.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 16, 2024, 9:54 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\19ac3a07.bat parameters: filepath: C:\Users\test22\AppData\Local\Temp\19ac3a07.bat	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	netstat -an
cmdline	/c netstat -an

Makes SMTP requests, possibly sending spam (1 event)

receiver

[]

sender

[]

server

103.129.252.45

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.FamVT.DumpModuleInfectiousNME.PE
Lionic	Virus.Win32.Nimnul.n!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.ch
ALYac	Win32.VJadtre.3
Cylance	Unsafe
VIPRE	Win32.VJadtre.3
Sangfor	Suspicious.Win32.Save.ins
K7AntiVirus	Virus ( 0040f7441 )
Alibaba	Trojan:Win32/Mikcer.35a
K7GW	Virus ( 0040f7441 )
Cybereason	malicious.8d1529
BitDefenderTheta	AI:FileInfector.991137D00F
Symantec	W32.Wapomi.C!inf
tehtris	Generic.Malware
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Wapomi-10020301-0
BitDefender	Trojan.GenericKD.73138525
NANO-Antivirus	Trojan.Win32.Banload.cstqaj
MicroWorld-eScan	Trojan.GenericKD.73138525
Emsisoft	Application.Generic (A)
F-Secure	Malware.W32/Jadtre.B
DrWeb	BackDoor.Darkshell.246
McAfeeD	Real Protect-LS!777396C8D152
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.777396c8d1529dad
Sophos	W32/Nimnul-A
Ikarus	Trojan.Win32.Agent
Jiangmin	Win32/Nimnul.f
Google	Detected
Avira	W32/Jadtre.B
MAX	malware (ai score=88)
Antiy-AVL	Virus/Win32.Nimnul.f
Kingsoft	Win32.Nimnul.f.168959
Gridinsoft	Trojan.Win32.Gen.bot!i
Xcitium	Virus.Win32.Wali.KA@558nxg
Arcabit	Trojan.Generic.D45C015D
ViRobot	Win32.Ramnit.F
ZoneAlarm	Virus.Win32.Nimnul.f
Varist	W32/PatchLoad.E
AhnLab-V3	Win32/VJadtre.Gen
Acronis	suspicious
TACHYON	Virus/W32.Ramnit.C
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	PE_WAPOMI.BM
Tencent	Virus.Win32.Nimnul.ka

12121212121.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All