Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.13 09:11
Mishing: The Rising Mo...
11.13 09:11
Europe’s Tech Startups...
11.13 09:11
NASA Announces New Tri...
11.13 09:11
Microsoft’s Gaming Chi...
11.13 09:11
Amazon Makes it Harder...
11.13 09:11
Brain Implant Startups...
11.13 09:11
Comprehensive Guide to...
11.13 08:11
Major Cyber Attacks in...
11.13 08:11
Tesla’s Meme-Like Stoc...
11.13 08:11
HawkEye Malware: Techn...

Summary | ZeroBOX

2aba0c4cfb95beba9ddb8208234f1b6f2eb1b9d0a20ffb74b807d169f385c810.rar

KeyLogger PWS Escalate priviledges AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 9, 2024, 6:38 p.m.	July 9, 2024, 6:41 p.m.

Size	258.0KB
Type	RAR archive data, v5
MD5	`432230af1d59dac7dfb47e0684807240`
SHA256	`2aba0c4cfb95beba9ddb8208234f1b6f2eb1b9d0a20ffb74b807d169f385c810`
CRC32	`04AD1C5F`
ssdeep	`6144:8uZofOWMUboY7L97A5UDQGVjPP8nRWoFV+hHlOO:8Kul97A5ULVjsn/jWx`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "cApHxvXtwvrfIcf" C:\Users\test22\AppData\Local\Temp\2aba0c4cfb95beba9ddb8208234f1b6f2eb1b9d0a20ffb74b807d169f385c810.rar
3040
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\2aba0c4cfb95beba9ddb8208234f1b6f2eb1b9d0a20ffb74b807d169f385c810.rar"
  2200

Name	Response	Post-Analysis Lookup
p13n.adobe.io	A 3.219.243.226 A 3.233.129.217 A 52.22.41.97 A 52.6.155.20	52.22.41.97

IP Address	Status	Action
104.78.72.178	Active	Moloch
164.124.101.2	Active	Moloch
3.233.129.217	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49183 104.78.72.178:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Jose, O=Adobe Inc, CN=*.adobe.com	ef:f1:bb:08:e5:d8:6e:f3:9f:01:83:db:70:5d:59:99:d2:79:30:f2
TLS 1.3 192.168.56.102:49181 3.233.129.217:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2024, 6:38 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2024, 6:38 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 9, 2024, 6:38 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 9, 2024, 6:38 p.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721c3000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\李新宇-北京大学-2026毕业-金融硕士.pdf

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\DS_Store.vbs
file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\李新宇-北京大学-2026毕业-金融硕士.pdf.lnk
file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\filename.lnk

Creates hidden or system file (4 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW July 9, 2024, 6:39 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\DS_Store filepath: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\DS_Store	1	1	0
SetFileAttributesW July 9, 2024, 6:39 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\DS_Store.vbs filepath: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\DS_Store.vbs	1	1	0
SetFileAttributesW July 9, 2024, 6:39 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\filename.lnk filepath: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\filename.lnk	1	1	0
SetFileAttributesW July 9, 2024, 6:39 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\李新宇-北京大学-2026毕业-金融硕士.pdf filepath: C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\李新宇-北京大学-2026毕业-金融硕士.pdf	1	1	0

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\李新宇-北京大学-2026毕业-金融硕士.pdf.lnk
file	C:\.lnk
file	C:\Users\test22\AppData\Local\Temp\7zE8982DBDC\_MACOSX\_MACOSX\filename.lnk

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Rising	Trojan.Generic@AI.89 (RDMK:cmRtazrnF3/GKE8zsnw4G/aqjuRR)
Sophos	Troj/LnkObf-T
Google	Detected
Microsoft	Trojan:Script/Wacatac.B!ml
AhnLab-V3	Malware/Win.Generic.C5648133

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 9, 2024, 6:38 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW July 9, 2024, 6:39 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	PWS Memory				rule	Generic_PWS_Memory_Zero
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep
description	Run a KeyLogger				rule	KeyLogger

Communicates with host for which no DNS query was performed (1 event)

host

104.78.72.178