Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 04:09
2.exe
09.21 02:09
random.exe
09.21 02:09
sdhsfd.exe
09.21 02:09
66edb89bc4073_crypted....
09.21 02:09
66ed33772bbe7_vdfhsjf1...
09.21 02:09
game.exe
09.21 02:09
66ebb3bf78bd6_Send.exe...
09.21 02:09
66ed33717e4c1_vfdshfda...
09.21 02:09
random.exe
09.21 02:09
66ed336eac985_vdfhssfd...

Latest News
09.22 09:09
Announcing SecTemplate...
09.22 08:09
When Raw Network Socke...
09.22 08:09
Biden Administration t...
09.22 08:09
IT Sicherheitsnews tae...
09.22 07:09
September 22, 2024
09.22 06:09
Cards Against Humanity...
09.22 05:09
Linux, Now In Real Time
09.22 04:09
Was können Roboter wir...
09.22 04:09
Schluss mit Basis-Auth...
09.22 04:09
Deutsches Jugendherber...

Summary | ZeroBOX

pc9.chm

JPEG Format AntiVM PNG Format AntiDebug CHM Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 8, 2024, 4:58 p.m.	July 8, 2024, 5 p.m.

Size	12.0KB
Type	MS Windows HtmlHelp Data
MD5	`7d101e683e7dbdfb83788c109c7b7de3`
SHA256	`78eeed270b399bc426ca67b22bf89e5e41d3abb7403a0a1dfa966fac627ca8b0`
CRC32	`3F19C99C`
ssdeep	`96:Sb4YB5BIaAXZNQ3Tq/xW6oUop3hTpABlsOhR25OwjHg0:Sb4YVeZu3m/xdoUWTpABlI5VH`
Yara	chm_file_format - chm file format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "yCfTFiy" C:\Users\test22\AppData\Local\Temp\pc9.chm
3068
- hh.exe "C:\Windows\hh.exe" C:\Users\test22\AppData\Local\Temp\pc9.chm
  1780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 8, 2024, 4:51 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2024, 4:51 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2024, 4:51 p.m.	process_identifier: 1780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory July 8, 2024, 4:51 p.m.	process_identifier: 1780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

ESET-NOD32	HTML/TrojanDropper.Agent.R
Rising	Trojan.MouseJack/HTML!1.BE26 (CLASSIC)
AhnLab-V3	Dropper/HTML.Generic.S2418
Fortinet	JS/Kimsuky.GOSU!tr

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2024, 4:51 p.m.	process_identifier: 1780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 resumed a thread in remote process 1780
NtResumeThread July 8, 2024, 4:58 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 1780	1	0	0