Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 20, 2024, 10:34 a.m.	Sept. 20, 2024, 10:36 a.m.

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e21b8ab721253a904d148587bb256be4`
SHA256	`0482038dee8cdc3992533d6d3bfd36123a0efc02809b9c1cb87febef83a3517a`
CRC32	`0BFBC2C3`
ssdeep	`49152:6TvC/MTQYxsWR7alUZqvJ+UtB7wxAzbimbJX:KjTQYxsWRpZqvJ+kBGob7bJ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

PO-LIST.exe "C:\Users\test22\AppData\Local\Temp\PO-LIST.exe"
3008
- name.exe "C:\Users\test22\AppData\Local\Temp\PO-LIST.exe"
  2216
  - svchost.exe "C:\Users\test22\AppData\Local\Temp\PO-LIST.exe"
    2104

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
nzobaku.ddns.net	A 45.138.16.248	45.138.16.248

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
45.138.16.248	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
TCP 192.168.56.102:49164 -> 45.138.16.248:8081	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49164 45.138.16.248:8081	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 20, 2024, 10:34 a.m.			0	0
IsDebuggerPresent Sept. 20, 2024, 10:34 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 20, 2024, 10:34 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Connects to a Dynamic DNS Domain (1 event)

domain

nzobaku.ddns.net

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 20, 2024, 10:34 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 20, 2024, 10:34 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0301f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 20, 2024, 10:34 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74302000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 20, 2024, 10:34 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03070000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 344 seconds, actually delayed analysis time by 344 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
file	C:\Users\test22\AppData\Local\directory\name.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\directory\name.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\directory\name.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00129600', u'virtual_address': u'0x000d4000', u'entropy': 7.98342214418379, u'name': u'.rsrc', u'virtual_size': u'0x00129434'}

entropy

7.98342214418

description

A section with a high entropy has been found

entropy

0.581094284319

description

Overall entropy of this PE file is high

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 20, 2024, 10:34 a.m.	thread_identifier: 1780 thread_handle: 0x00000140 process_identifier: 2104 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\PO-LIST.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000138	1	1	0

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 20, 2024, 10:34 a.m.	thread_identifier: 0 callback_function: 0x0040a2df hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	7209413	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2216 called NtSetContextThread to modify thread in remote process 2104
NtSetContextThread Sept. 20, 2024, 10:34 a.m.	registers.eip: 2001207748 registers.esp: 588892 registers.edi: 0 registers.eax: 4409984 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000140 process_identifier: 2104	1	0	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win64.Injects.ts93
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.TrojanAitInject.vc
ALYac	AIT:Trojan.Nymeria.6323
Cylance	Unsafe
VIPRE	AIT:Trojan.Nymeria.6323
Sangfor	Trojan.Win32.Autoit.Vgvj
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.Generic.36766592
K7GW	Trojan ( 005ba79e1 )
K7AntiVirus	Trojan ( 005ba79e1 )
Arcabit	Trojan.Generic.D2310380
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.Autoit.GJP
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Script.Generic
Alibaba	Trojan:Win32/Autoitinject.9e6f94a5
MicroWorld-eScan	Trojan.Generic.36766592
Rising	Trojan.Injector/Autoit!1.10326 (CLASSIC)
Emsisoft	Trojan.Generic.36766592 (B)
F-Secure	Dropper.DR/AutoIt.Gen8
TrendMicro	Backdoor.Win32.REMCOS.YXEIRZ
McAfeeD	Real Protect-LS!E21B8AB72125
CTX	exe.trojan.autoit
Sophos	Mal/Generic-S
FireEye	Generic.mg.e21b8ab721253a90
Webroot	W32.Trojan.Script
Google	Detected
Avira	DR/AutoIt.Gen8
Kingsoft	Script.Trojan.Generic.a
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Backdoor:MSIL/XWormRAT.PDAJ!MTB
GData	Trojan.Generic.36766592
McAfee	Artemis!E21B8AB72125
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.PasswordStealer
Ikarus	Trojan.Autoit
Panda	Trj/CI.A
TrendMicro-HouseCall	Backdoor.Win32.REMCOS.YXEIRZ
Tencent	Script.Trojan.Generic.Ozfl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Agent.OM!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml

PO-LIST.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All