Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 30, 2024, 9:30 a.m.	Sept. 30, 2024, 9:48 a.m.

Size	63.1KB
Type	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=396e3b4efa775d10ff2bd9371d59f1852028b132, stripped
MD5	`269a9c7b0e832ce896558afe8375483c`
SHA256	`68b553cbc11348fec2ca56ffef0053bc1ea70bed6746225821d07ae041291af0`
CRC32	`3282971E`
ssdeep	`768:klYymsN1WzojKzWIpTump+DLEvXG53xyAcWAF94q5b9patBR1u+p+X7L52:kl9fI2KzlpTumpqcq3xz+V5b9paxMua`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DynvLyTnpYAMA" C:\Users\test22\AppData\Local\Temp\Host.out
2004
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\Host.out
  2084
  - editplus.exe "editplus.exe"
    2580
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 30, 2024, 9:23 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 30, 2024, 9:23 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 9:30 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:30 a.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74521000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74371000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 9:30 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Sept. 30, 2024, 9:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Linux.Netweird.4!c
Cynet	Malicious (score: 99)
CTX	elf.trojan.netweird
Skyhigh	GenericRXSE-EX!269A9C7B0E83
ALYac	Trojan.Linux.Generic.312160
VIPRE	Trojan.Linux.Generic.312160
Sangfor	Trojan.Linux.Agent.Vaj4
Arcabit	Trojan.Linux.Generic.D4C360
Symantec	Trojan.Gen.NPE
Elastic	Linux.Trojan.Generic
ESET-NOD32	a variant of Linux/Netweird.G
TrendMicro-HouseCall	TROJ_GEN.R002C0DIS24
Avast	ELF:Agent-BCR [Trj]
ClamAV	Unix.Malware.Netweird-10004258-0
Kaspersky	HEUR:Trojan.Linux.Agent.jn
BitDefender	Trojan.Linux.Generic.312160
MicroWorld-eScan	Trojan.Linux.Generic.312160
Rising	Backdoor.Wirenet/Linux!8.13CED (TFE:14:WdJhJvwmLcU)
Emsisoft	Trojan.Linux.Generic.312160 (B)
F-Secure	Malware.LINUX/Dldr.Agent.ywmak
TrendMicro	TROJ_GEN.R002C0DIS24
SentinelOne	Static AI - Malicious ELF
FireEye	Trojan.Linux.Generic.312160
Jiangmin	Trojan.Linux.bof
Google	Detected
Avira	LINUX/Dldr.Agent.ywmak
Antiy-AVL	Trojan/Linux.Netweird.g
Kingsoft	Linux.Trojan.Agent.jn
Microsoft	Backdoor:Linux/Wirenet.B!xp
ZoneAlarm	HEUR:Trojan.Linux.Agent.jn
GData	Trojan.Linux.Generic.312160
McAfee	GenericRXSE-EX!269A9C7B0E83
Ikarus	Win32.Outbreak
Tencent	Linux.Trojan.Agent.Ugil
Fortinet	Linux/Netweird.G!tr
AVG	ELF:Agent-BCR [Trj]
alibabacloud	Backdoor:Linux/Netwiredrc.34a288ec

Host.out

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All