Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 27, 2024, 10:07 a.m.	June 27, 2024, 10:15 a.m.

Size	250.0B
Type	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, corrupted section header size
MD5	`48cc44c908f2b564daf679a93a7259b6`
SHA256	`9112ce1aac1c03ad109d47b834bd8784eb939ee2900ec993707771b0307f8a13`
CRC32	`58D13E42`
ssdeep	`6:BnX//In8/r1uBxHocmTWzQ3RQdygg5XJYD:BvwncrAH3m6I532D`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "PBAB" C:\Users\test22\AppData\Local\Temp\payload.bin
2576
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\payload.bin
  2708
  - editplus.exe "editplus.exe"
    2856
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 27, 2024, 10:07 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 27, 2024, 10:07 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 27, 2024, 10:07 a.m.			0	0
IsDebuggerPresent June 27, 2024, 10:07 a.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73431000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74161000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2708 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2024, 10:09 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 27, 2024, 10:07 a.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732c2000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 27, 2024, 10:07 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Linux.Shellcode.m!c
Cynet	Malicious (score: 99)
Skyhigh	GenericRXHZ-SR!48CC44C908F2
McAfee	GenericRXHZ-SR!48CC44C908F2
VIPRE	Generic.Linux.Shellcode.A.A72EC1BD
Sangfor	Backdoor.ELF.Save.Metasploit
K7GW	NetWorm ( 0040f1e71 )
Arcabit	Generic.Linux.Shellcode.A.A72EC1BD
Symantec	Trojan.Gen.NPE
Elastic	Linux.Trojan.Metasploit
ESET-NOD32	a variant of Linux/Shellcode.EA
TrendMicro-HouseCall	TROJ_GEN.R014C0DEP24
Avast	ELF:ShellCode-EG [Trj]
ClamAV	Unix.Backdoor.Msfvenom-10012672-0
Kaspersky	Backdoor.Linux.RevShell.c
BitDefender	Generic.Linux.Shellcode.A.A72EC1BD
MicroWorld-eScan	Generic.Linux.Shellcode.A.A72EC1BD
Rising	Backdoor.ConnectBack/Linux!8.1353F (TFE:17:sFgboxio2HV)
Emsisoft	Generic.Linux.Shellcode.A.A72EC1BD (B)
F-Secure	Malware.LINUX/AVI.ShellCode.kqtyt
DrWeb	Linux.Siggen.5538
TrendMicro	TROJ_GEN.R014C0DEP24
FireEye	Generic.Linux.Shellcode.A.A72EC1BD
Sophos	Mal/Generic-S
Ikarus	Trojan.Linux.Shellcode
Google	Detected
Avira	LINUX/AVI.ShellCode.kqtyt
MAX	malware (ai score=99)
Antiy-AVL	Trojan/Linux.ConnectBack.end
Kingsoft	Win32.Hack.Undef.a
Microsoft	Backdoor:Linux/ConnectBack.A!xp
ZoneAlarm	Backdoor.Linux.RevShell.c
GData	Generic.Linux.Shellcode.A.A72EC1BD
Varist	E64/ABRisk.FYHV-9
Tencent	Trojan.Linux.MSF.yb
SentinelOne	Static AI - Malicious ELF
Fortinet	ELF/Shellcode.EA!tr
AVG	ELF:ShellCode-EG [Trj]
alibabacloud	Backdoor:Linux/metasploit

payload.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All