Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 21, 2024, 1:39 p.m.	Oct. 21, 2024, 1:44 p.m.

Size	10.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`fec6019b90092723b543219410ce71b4`
SHA256	`6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc`
CRC32	`B5DA534E`
ssdeep	`196608:np9T+NrpQJrG8M3+OvIKeFUOkpfG+n4qsYdz+FsCTk6x4acytLmfzB:n6rpQJK8M3+4teCOkpe3YhG7LmfzB`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

a.exe "C:\Users\test22\AppData\Local\Temp\a.exe"
2556
- rfusclient.exe "C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rfusclient.exe" -run_agent
  2668
  - rutserv.exe "C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rutserv.exe"
    2736

Name	Response	Post-Analysis Lookup
smtp-5.1gb.ua		195.234.4.4

IP Address	Status	Action
164.124.101.2	Active	Moloch
89.184.66.94	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 21, 2024, 1:39 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 21, 2024, 1:39 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 21, 2024, 1:39 p.m.			0	0

At least one process apparently crashed during execution (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrLoadDll Oct. 21, 2024, 1:39 p.m.	module_name: FaultRep.dll basename: FaultRep stack_pivoted: 0 flags: 0 module_address: 0x73550000	1	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

UNICODEDATA

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73652000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2024, 1:39 p.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (9 events)

file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmmux.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rutserv.exe
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmvorbisencoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\ssleay32.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rfusclient.exe
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\libeay32.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\vp8encoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmvorbisdecoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\vp8decoder.dll

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rfusclient.exe
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rutserv.exe

Drops an executable to the user AppData folder (9 events)

file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\libeay32.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\vp8decoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\vp8encoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmmux.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rfusclient.exe
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmvorbisdecoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\webmvorbisencoder.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\ssleay32.dll
file	C:\Users\test22\AppData\Roaming\RMS Agent\69110\86337C6FA9\rutserv.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 21, 2024, 1:39 p.m.	snapshot_handle: 0x000001f0 process_name: mobsync.exe process_identifier: 2272	1	1
Process32NextW Oct. 21, 2024, 1:39 p.m.	snapshot_handle: 0x000001f0 process_name: pw.exe process_identifier: 2316	1	1
Process32NextW Oct. 21, 2024, 1:39 p.m.	snapshot_handle: 0x000001f0 process_name: rutserv.exe process_identifier: 2736	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000e5400', u'virtual_address': u'0x00cbb000', u'entropy': 7.9166279623924485, u'name': u'UPX1', u'virtual_size': u'0x000e6000'}

entropy

7.91662796239

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x009f7600', u'virtual_address': u'0x00da1000', u'entropy': 7.954909631861527, u'name': u'.rsrc', u'virtual_size': u'0x009f8000'}

entropy

7.95490963186

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 21, 2024, 1:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 21, 2024, 1:39 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (2 events)

url	http://schemas.xmlsoap.org/soap/envelope/
url	http://rmansys.ru/internet-id/

Yara rule detected in process memory (24 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications smtp	rule	network_smtp_raw
description	Communications over SSL	rule	Network_SSL
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Run a KeyLogger	rule	KeyLogger

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

89.184.66.94

Expresses interest in specific running processes (1 event)

process: potential process injection target

csrss.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2668 resumed a thread in remote process 2736
NtResumeThread Oct. 21, 2024, 1:39 p.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2736	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

89.184.66.94:5655

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Lionic	Riskware.Win32.RemoteUtilities.1!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.vc
ALYac	Application.Generic.3808827
Cylance	Unsafe
VIPRE	Application.Generic.3808827
Sangfor	Tool.Win32.Remoteutilities.Vooi
CrowdStrike	win/grayware_confidence_90% (D)
BitDefender	Application.Generic.3808827
K7GW	Unwanted-Program ( 00578aef1 )
K7AntiVirus	Unwanted-Program ( 00578aef1 )
Arcabit	Application.Generic.D3A1E3B
Paloalto	generic.ml
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/RemoteAdmin.RemoteUtilities.W potentially unsafe
Avast	Win32:Malware-gen
Kaspersky	not-a-virus:RemoteAdmin.Win32.RemoteUtilities.fx
NANO-Antivirus	Riskware.Win32.RemoteControl.jraccs
MicroWorld-eScan	Application.Generic.3808827
Rising	Hacktool.RemoteUtilities!8.49C (CLOUD)
Emsisoft	Application.Generic.3808827 (B)
F-Secure	Trojan.TR/AVI.Agent.imskk
DrWeb	Tool.RemoteControl.20
McAfeeD	ti!6FB6CFFBC9D3
CTX	exe.remote-access-trojan.generic
Sophos	Generic Reputation PUA (PUA)
FireEye	Generic.mg.fec6019b90092723
Avira	TR/AVI.Agent.imskk
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.RMS
Gridinsoft	Backdoor.Win32.Gen.tr
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.RemoteUtilities.fx
GData	Application.Generic.3808827
Varist	W32/ABApplication.GMLQ-4863
McAfee	Artemis!FEC6019B9009
VBA32	Backdoor.RABased
Malwarebytes	RiskWare.RemoteManipulator
Tencent	Win32.Trojan.Remoteutilities.Gkjl
MaxSecure	Trojan.Malware.218267050.susgen
Fortinet	Riskware/RemoteAdmin_RemoteUtilities
AVG	Win32:Malware-gen
alibabacloud	Backdoor[rat]:Win/RemoteAdmin.RynbpzAQBNHNGtN

a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All