Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:05 p.m.	Aug. 19, 2024, 2:48 p.m.

Size	561.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0db78abd5b7a1504ae68963800823ea5`
SHA256	`118d212ffd99d9812697c7ba6abb132cf2f62f8b657b49e49b3241164dc18f11`
CRC32	`DD2184A5`
ssdeep	`12288:OBdlwHRn+WlYV+XHBef1p6hEnWBxYN2RHDg45:OBkVdlYA3Bm1pfUYNEjgw`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

alsuuu.exe "C:\Users\test22\AppData\Local\Temp\alsuuu.exe"
2656
- als.exe "C:\Users\test22\AppData\Roaming\als.exe"
  2752
- NVIDIAShare.exe "C:\Users\test22\AppData\Roaming\NVIDIAShare.exe"
  2792

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.140.24 A 104.192.140.25 A 104.192.140.26	104.192.140.26

IP Address	Status	Action
104.192.140.24	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 104.192.140.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 104.192.140.24:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:05 p.m.	stacktrace: als+0x298f8 @ 0xc898f8 als+0x337c6 @ 0xc937c6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 03 42 3c 89 45 bc c7 85 38 fe ff ff 01 00 00 00 exception.symbol: als+0x7d16 exception.instruction: add eax, dword ptr [edx + 0x3c] exception.module: als.exe exception.exception_code: 0xc0000005 exception.offset: 32022 exception.address: 0xc67d16 registers.esp: 3456704 registers.edi: 0 registers.eax: 0 registers.ebp: 3464472 registers.edx: 0 registers.ebx: 3464480 registers.esi: 1 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 19, 2024, 2:05 p.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72dd2000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\als.exe
file	C:\Users\test22\AppData\Roaming\NVIDIAShare.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\als.exe
file	C:\Users\test22\AppData\Roaming\NVIDIAShare.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\als.exe

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Share

reg_value

C:\Users\test22\AppData\Roaming\ServiceAmd\NVIDIAShare.exe

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Trojan.Generic.36687673
Cylance	Unsafe
VIPRE	Trojan.Generic.36687673
K7AntiVirus	Trojan ( 005b7f931 )
BitDefender	Trojan.Generic.36687673
K7GW	Trojan ( 005b7f931 )
Arcabit	Trojan.Zusy.D87B05
Symantec	Trojan.Gen.MBT
ESET-NOD32	multiple detections
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Bladabindi-10017056-0
Kaspersky	Trojan-Banker.Win32.ClipBanker.acad
Alibaba	TrojanBanker:Win32/ClipBanker.3a25dc93
MicroWorld-eScan	Trojan.Generic.36687673
Rising	Trojan.Generic!8.C3 (CLOUD)
Emsisoft	Trojan.Generic.36687673 (B)
F-Secure	Trojan.TR/Agent_AGen.xzeex
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXEGPZ
McAfeeD	ti!118D212FFD99
FireEye	Generic.mg.0db78abd5b7a1504
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious SFX
Google	Detected
Avira	TR/Agent_AGen.xzeex
MAX	malware (ai score=87)
Antiy-AVL	Trojan[Banker]/Win32.ClipBanker
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Injuke.gen
GData	Trojan.Generic.36687673
Varist	W64/ABTrojan.ABKC-7111
BitDefenderTheta	Gen:NN.ZexaF.36812.sqW@aC0Ysie
DeepInstinct	MALICIOUS
VBA32	Trojan.Wacatac
Malwarebytes	Crypt.Trojan.MSIL.DDS
Ikarus	Trojan.Win64.Bladabindi
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TrojanSpy.Win32.LUMMASTEALER.YXEGPZ
Tencent	Win32.Trojan.Injuke.Hjgl
Yandex	Trojan.Injuke!6EpnmQOjfa4
huorong	Trojan/Generic!818E309504CBFF21
Fortinet	W32/Agent_AGen.DSR!tr
AVG	Win32:DropperX-gen [Drp]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	Trojan:Win/Agent_AGen.DBY

alsuuu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All