Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 14, 2024, 5:43 p.m.	July 14, 2024, 5:58 p.m.

Size	963.3KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`cefc3739d099bae51eb2a9d3887ac12c`
SHA256	`17808b7509e2a5d8ae805cc59eaae1305ae4d3069f173187b57aa29b3833f9e7`
CRC32	`BF47ABEF`
ssdeep	`24576:juDXTIGaPhEYzUzA0aTuDXTIGaPhEYzUzA0bPrs:KDjlabwz9RDjlabwz9c`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

potkmdaw.exe "C:\Users\test22\AppData\Local\Temp\potkmdaw.exe"
516
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
  2196
  - clamer.exe clamer.exe -priverdD
    2272
    - voptda.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\voptda.exe"
      2464
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
95.169.205.186	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\voptda.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\voptda.exe

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

95.169.205.186

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\voptda.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\voptda.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2196 resumed a thread in remote process 2272
NtResumeThread July 14, 2024, 5:36 p.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2272	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.169.205.186:80

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.RecordBreaker.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Generic.dh
ALYac	Trojan.GenericKD.73407751
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73407751
K7AntiVirus	Spyware ( 005b10b61 )
BitDefender	Trojan.GenericKD.73407751
K7GW	Riskware ( abcd70071 )
Cybereason	malicious.9d099b
VirIT	Trojan.Win64.RarDrp.GZC
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win32/RecordBreaker.A
McAfee	Artemis!CEFC3739D099
Avast	Win64:Malware-gen
ClamAV	Win.Dropper.Nanocore-9986456-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanPSW:Win32/RecordBreaker.5a7aee7a
NANO-Antivirus	Trojan.Win64.RaccoonSteal.kponbt
MicroWorld-eScan	Trojan.GenericKD.73407751
Emsisoft	Trojan.GenericKD.73407751 (B)
F-Secure	Trojan.TR/Redcap.obzmv
DrWeb	Trojan.PWS.Siggen3.37746
Zillya	Exploit.UAC.Win32.999
McAfeeD	ti!17808B7509E2
FireEye	Generic.mg.cefc3739d099bae5
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.RecordBreaker
Jiangmin	Worm.MSIL.vpw
Webroot	W32.Trojan.Gen
Avira	TR/AD.RaccoonSteal.zgxnz
Antiy-AVL	Trojan/Win32.Casdet
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Trojan.Win64.Downloader.sa
Xcitium	Malware@#3jlj97zizu7o8
Arcabit	Trojan.Generic.D4601D07
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win64.Trojan.Agent.LV5BOZ
DeepInstinct	MALICIOUS
VBA32	TrojanPSW.Racealer
Malwarebytes	Malware.AI.3225386938
Panda	Trj/CI.A
TrendMicro-HouseCall	TrojanSpy.Win64.RACCOONSTEALER.YXEGGZ
MAX	malware (ai score=88)
AVG	Win64:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_60% (D)

potkmdaw.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All