Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 27, 2024, 1:30 p.m.	Aug. 27, 2024, 1:36 p.m.

Size	2.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`dfa3bc45245a6f8f6c7085e625afbb99`
SHA256	`475525d4cbab512f143238013112efa360de9fa46dbba201a7219d50c69e0697`
CRC32	`92783721`
ssdeep	`49152:i1beL/xJtcWgiYXbY4B7EWrTwsIPK59E77k2uHf51:iNeNJvgRLYyEHFfk2s`
Yara	Microsoft_Office_File_Downloader_Zero - Microsoft Office File Downloader Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Microsoft_Office_File_Zero - Microsoft Office File Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware VBScript_Check_All_Process - VBScript Check All Process UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

ERAB.exe "C:\Users\test22\AppData\Local\Temp\ERAB.exe"
2552

Name	Response	Post-Analysis Lookup
asurastrike.de	A 146.247.97.33	146.247.97.33
reshade.me	A 217.160.0.130	217.160.0.130

IP Address	Status	Action
146.247.97.33	Active	Moloch
164.124.101.2	Active	Moloch
217.160.0.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 217.160.0.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 217.160.0.130:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 146.247.97.33:80	2008259	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 146.247.97.33:80	2008259	ET USER_AGENTS Suspicious User-Agent (AutoHotkey)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Performs some HTTP requests (42 events)

request	GET http://asurastrike.de/ERAB/files.txt
request	GET http://asurastrike.de/ERAB/version2.txt
request	GET http://asurastrike.de/ERAB/GAMELIST.ERAB
request	GET http://asurastrike.de/ERAB/AddonsList.ERAB
request	GET http://asurastrike.de/ERAB/autobackup.png
request	GET http://asurastrike.de/ERAB/autobackup1.png
request	GET http://asurastrike.de/ERAB/backup.png
request	GET http://asurastrike.de/ERAB/backup1.png
request	GET http://asurastrike.de/ERAB/backup2.png
request	GET http://asurastrike.de/ERAB/bugs.png
request	GET http://asurastrike.de/ERAB/CoOp.ico
request	GET http://asurastrike.de/ERAB/cpu.png
request	GET http://asurastrike.de/ERAB/default.png
request	GET http://asurastrike.de/ERAB/default1.png
request	GET http://asurastrike.de/ERAB/default2.png
request	GET http://asurastrike.de/ERAB/delete.png
request	GET http://asurastrike.de/ERAB/delete1.png
request	GET http://asurastrike.de/ERAB/EZAB.ico
request	GET http://asurastrike.de/ERAB/EZAB_active.ico
request	GET http://asurastrike.de/ERAB/EZAB_count.ico
request	GET http://asurastrike.de/ERAB/EZAB_inactive.ico
request	GET http://asurastrike.de/ERAB/info.png
request	GET http://asurastrike.de/ERAB/LBnet.png
request	GET http://asurastrike.de/ERAB/LBnet1.png
request	GET http://asurastrike.de/ERAB/LEpic.png
request	GET http://asurastrike.de/ERAB/LEpic1.png
request	GET http://asurastrike.de/ERAB/LOP-WinGDK-Shipping.exe.ico
request	GET http://asurastrike.de/ERAB/LSteam.png
request	GET http://asurastrike.de/ERAB/LSteam1.png
request	GET http://asurastrike.de/ERAB/LUplay.png
request	GET http://asurastrike.de/ERAB/LUplay1.png
request	GET http://asurastrike.de/ERAB/new.png
request	GET http://asurastrike.de/ERAB/rename.png
request	GET http://asurastrike.de/ERAB/rename1.png
request	GET http://asurastrike.de/ERAB/restore.png
request	GET http://asurastrike.de/ERAB/splash.jpg
request	GET http://asurastrike.de/ERAB/update.png
request	GET http://asurastrike.de/ERAB/notify_backup.wav
request	GET http://asurastrike.de/ERAB/notify_pause.wav
request	GET http://asurastrike.de/ERAB/notify_restore.wav
request	GET http://asurastrike.de/ERAB/notify_save.wav
request	GET http://asurastrike.de/ERAB/notify_start.wav

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00274000 process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\7z.dll
file	C:\Users\test22\AppData\Local\Temp\7z.exe

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\7z.dll
file	C:\Users\test22\AppData\Local\Temp\7z.exe

Installs an hook procedure to monitor for mouse events (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 27, 2024, 1:30 p.m.	thread_identifier: 0 callback_function: 0x00404ed0 hook_identifier: 14 (WH_MOUSE_LL) module_address: 0x00400000	1	131513	0

Manipulates memory of a non-child process indicative of process injection (35 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 manipulating memory of non-child process 2552
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06550000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06570000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:30 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b4	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0
NtAllocateVirtualMemory Aug. 27, 2024, 1:31 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x06580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a8	1	0	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Aug. 27, 2024, 1:30 p.m.	thread_identifier: 0 callback_function: 0x00404d60 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	328115	0

ERAB.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All