Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 14, 2024, 10:37 a.m.	Oct. 14, 2024, 10:39 a.m.

Size	4.2MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`9fb8cc095e016caf986f28f61a4334ca`
SHA256	`369a92d10be574e4e96680100bba4bb8f1b94f23a129d04ce0cef93dbb4d92a1`
CRC32	`39119D11`
ssdeep	`98304:SA98w3AJb77ixCX3xPVLY9/zVHW2X3sANemWxOAn:x98wwJjnBPVE1zRVX8ApWbn`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Updater.exe "C:\Users\test22\AppData\Local\Temp\Updater.exe"
2544
- cmd.exe "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2644
  - schtasks.exe schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    2704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 14, 2024, 10:37 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 14, 2024, 10:37 a.m.	buffer: SUCCESS: The scheduled task "MyApp" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2024, 10:37 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.vmp\xec\x9b\x83\xec

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Creates a suspicious process (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 14, 2024, 10:37 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f filepath: cmd.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0040b200', u'virtual_address': u'0x00234000', u'entropy': 7.98873116396396, u'name': u'.vmp\\xec\\x9b\\x83\\xec', u'virtual_size': u'0x0040b1c0'}

entropy

7.98873116396

description

A section with a high entropy has been found

entropy

0.955904421101

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

The executable is likely packed with VMProtect (3 events)

section	.vmp\xec\x9b\x83\xec	description	Section name indicates VMProtect
section	.vmp\xec\x9b\x83\xec	description	Section name indicates VMProtect
section	.vmp\xec\x9b\x83\xec	description	Section name indicates VMProtect

Installs itself for autorun at Windows startup (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

Uses Sysinternals tools in order to add additional command line functionality (3 events)

cmdline	cmd.exe /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	schtasks /create /tn MyApp /tr C:\Users\test22\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Fsysna.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.rc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
K7GW	Trojan ( 0059f91f1 )
K7AntiVirus	Trojan ( 0059f91f1 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.VMProtect.BC suspicious
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	UDS:Trojan.Win32.Fsysna.jxyn
Rising	Trojan.Kryptik@AI.84 (RDML:XGdsaXKnHPLcnQzQlyDttg)
F-Secure	Trojan.TR/AVI.ClipBanker.rtyqx
McAfeeD	ti!369A92D10BE5
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.clipbanker
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.9fb8cc095e016caf
Avira	TR/AVI.ClipBanker.rtyqx
Kingsoft	malware.kb.b.860
Gridinsoft	Trojan.Heur!.02210201
Microsoft	Trojan:Win32/Sonbokli.A!cl
ViRobot	Trojan.Win.Z.Agent.4436480
ZoneAlarm	UDS:Trojan.Win32.Fsysna.jxyn
GData	Win32.Trojan.Agent.XYCBWH
AhnLab-V3	Malware/Gen.Reputation.C4302750
McAfee	Artemis!9FB8CC095E01
DeepInstinct	MALICIOUS
Malwarebytes	Malware.Heuristic.2108
Ikarus	Win32.Outbreak
Tencent	Win32.Trojan.Fsysna.Edhl
Fortinet	Riskware/Application
AVG	Win32:Evo-gen [Trj]

Updater.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All