Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 22, 2024, 5:47 p.m.	July 22, 2024, 5:52 p.m.

Size	163.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a668cb93c16026b6ee15b96dbd13d64f`
SHA256	`1adf26633c17278c9b930529b164637a8942cbb1f3267afafec63b56de51dd96`
CRC32	`4B7A0BF7`
ssdeep	`3072:z6JM/iN8vLfG+EZm0jNJmG2F00EfqADbugtWlHn:z6A0BJmGa0HiibeH`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_njRAT_Zero - Win Backdoor njRAT

Botkiller.exe "C:\Users\test22\AppData\Local\Temp\Botkiller.exe"
1000
- taskkill.exe TASKKILL /F /IM cmd.exe
  2184
- taskkill.exe TASKKILL /F /IM wscript.exe
  2148
taskkill.exe TASKKILL /F /IM wscript.exe
2780
taskkill.exe TASKKILL /F /IM cmd.exe
2816

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.83.207.67	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 22, 2024, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 5:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 5:47 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2024, 5:47 p.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 22, 2024, 5:47 p.m.	buffer: SUCCESS: The process "cmd.exe" with PID 1188 has been terminated. console_handle: 0x00000007	1	1
WriteConsoleW July 22, 2024, 5:47 p.m.	buffer: ERROR: The process "wscript.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW July 22, 2024, 5:47 p.m.	buffer: ERROR: The process "wscript.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW July 22, 2024, 5:47 p.m.	buffer: SUCCESS: The process "cmd.exe" with PID 2628 has been terminated. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 5:47 p.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Botkiller.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk

Creates a suspicious process (1 event)

cmdline

TASKKILL /F /IM cmd.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Botkiller.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Botkiller.exe

Executes one or more WMI queries (2 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wscript.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe")

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 22, 2024, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2024, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2024, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2024, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 22, 2024, 5:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess July 22, 2024, 5:47 p.m.	status_code: 0x00000001 process_identifier: 1188 process_handle: 0x0000018c
NtTerminateProcess July 22, 2024, 5:47 p.m.	status_code: 0x00000001 process_identifier: 1188 process_handle: 0x0000018c	1
NtTerminateProcess July 22, 2024, 5:47 p.m.	status_code: 0x00000001 process_identifier: 2628 process_handle: 0x00000180
NtTerminateProcess July 22, 2024, 5:47 p.m.	status_code: 0x00000001 process_identifier: 2628 process_handle: 0x00000180	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	TASKKILL /F /IM wscript.exe
cmdline	TASKKILL /F /IM cmd.exe

Communicates with host for which no DNS query was performed (1 event)

host

45.83.207.67

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware.CS
Elastic	malicious (high confidence)
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Trojan.ch
ALYac	Gen:Variant.Jalapeno.1494
Cylance	Unsafe
VIPRE	Gen:Variant.Jalapeno.1494
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Gen:Variant.Jalapeno.1494
K7GW	Trojan ( 700000121 )
Cybereason	malicious.3c1602
Arcabit	Trojan.Jalapeno.D5D6
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Trojan.Win32.MSIL_Heur.B
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Autorun.Spy.Agent.DF
APEX	Malicious
McAfee	Packed-WL!A668CB93C160
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Packed.Razy-9960873-0
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Jalapeno.1494
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft	Gen:Variant.Jalapeno.1494 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.DownLoader26.20026
McAfeeD	Real Protect-LS!A668CB93C160
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.a668cb93c16026b6
Sophos	Mal/Bladabi-U
Ikarus	Win32.Outbreak
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=87)
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.Bladabindi.sb!ni
Microsoft	Backdoor:MSIL/Bladabindi.AJ
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Agent.AXL
Varist	W32/Barys.BG.gen!Eldorado
AhnLab-V3	Trojan/Win32.Bladabindi.C2442346
BitDefenderTheta	Gen:NN.ZemsilF.36810.kqW@aaB9QAo
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Buts.gen
Malwarebytes	AutoRun.Spyware.Stealer.DDS
Tencent	Worm.MSIL.Autorun.ca
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (22 events)

dead_host	192.168.56.103:49181
dead_host	45.83.207.67:6522
dead_host	192.168.56.103:49177
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49182
dead_host	192.168.56.103:49187
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49178
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49188
dead_host	192.168.56.103:49183
dead_host	192.168.56.103:49184
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49180
dead_host	192.168.56.103:49185
dead_host	192.168.56.103:49173
dead_host	192.168.56.103:49176
dead_host	192.168.56.103:49169

Botkiller.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All