Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 26, 2024, 10:41 a.m.	July 26, 2024, 10:58 a.m.

Size	898.8KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`c02798b26bdaf8e27c1c48ef5de4b2c3`
SHA256	`af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78`
CRC32	`66A787B8`
ssdeep	`24576:juDXTIGaPhEYzUzA0aouDXTIGaPhEYzUzA0br:KDjlabwz9MDjlabwz93`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

gawdth.exe "C:\Users\test22\AppData\Local\Temp\gawdth.exe"
2548
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
  2736
  - clamer.exe clamer.exe -priverdD
    2804
    - lofsawd.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe"
      2916
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 10:41 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:42 a.m.	process_identifier: 2804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:42 a.m.	process_identifier: 2916 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:43 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\Test Task17.job

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2736 resumed a thread in remote process 2804
NtResumeThread July 26, 2024, 10:42 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2804	1	0	0

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (moderate confidence)
Skyhigh	BehavesLike.Win64.Generic.ch
ALYac	Gen:Variant.Graftor.636737
Cylance	Unsafe
VIPRE	Gen:Variant.Graftor.636737
Sangfor	Trojan.Win32.Agent.Vrp2
K7AntiVirus	Spyware ( 005b10b61 )
BitDefender	Gen:Variant.Graftor.636737
K7GW	Spyware ( 005b10b61 )
Cybereason	malicious.26bdaf
Arcabit	Trojan.Graftor.D9B741
Symantec	Trojan.Gen.MBT
McAfee	Artemis!C02798B26BDA
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Dropper.Nanocore-9986456-0
Kaspersky	UDS:Trojan.Win32.Generic
Alibaba	Trojan:Win32/Sybici.76dc2c96
MicroWorld-eScan	Gen:Variant.Graftor.636737
Emsisoft	Gen:Variant.Graftor.636737 (B)
Zillya	Exploit.UAC.Win32.999
McAfeeD	ti!AF41B9AC95C3
FireEye	Generic.mg.c02798b26bdaf8e2
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Leonem
Jiangmin	Worm.MSIL.vpw
MAX	malware (ai score=87)
Kingsoft	Win32.Trojan.Generic.a
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Graftor.636737
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Dropper.SFX
Panda	Trj/CI.A
huorong	Trojan/BAT.Starter.ax
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

gawdth.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All