Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 17, 2025, 5:14 p.m.	Jan. 17, 2025, 5:19 p.m.

Size	507.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4e7b96fe3160ff171e8e334c66c3205c`
SHA256	`e698a786c4dcd964e54903a98bfaa0638ce8f52e02658f1223805c6e3b1ca83c`
CRC32	`4FD0E60C`
ssdeep	`6144:mMqQ4i1FFiEKS5huOMGOjBbqSJvoUdy6RIQ9+F2q7N5YrKywP:XpliiqGOj4S5oUdy6WPPYWywP`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) UPX_Zero - UPX packed file

schtasks.exe "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\test22\AppData\Local\Temp\ogpayload.exe" /rl HIGHEST /f
2556
schtasks.exe "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\test22\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
2884
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\DKBUAWY7Ssgv.bat" "
2956
- chcp.com chcp 65001
  3020
- PING.EXE ping -n 10 localhost
  3064
- comctl32.exe "C:\Users\test22\AppData\Roaming\Windows Defender\comctl32.exe"
  1692

Name	Response	Post-Analysis Lookup
ip-api.com	A 208.95.112.1	208.95.112.1
gamwtonxristo.ddns.net

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2054141	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)	Device Retrieving External IP Address Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2054141	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 208.95.112.1:80	2036383	ET MALWARE Common RAT Connectivity Check Observed	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49162 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 8.8.8.8:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 17, 2025, 5:14 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 17, 2025, 5:15 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 17, 2025, 5:16 p.m.			0	0
IsDebuggerPresent Jan. 17, 2025, 5:16 p.m.			0	0

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 17, 2025, 5:14 p.m.	buffer: SUCCESS: The scheduled task "Windows Defender Startup Scan" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 17, 2025, 5:15 p.m.	buffer: SUCCESS: The scheduled task "Windows Defender Startup Scan" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 17, 2025, 5:15 p.m.	buffer: DONT CLOSE THIS WINDOW! console_handle: 0x00000007	1	1
WriteConsoleW Jan. 17, 2025, 5:16 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 17, 2025, 5:15 p.m.	buffer: Active code page: 65001 console_handle: 0x00000013	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 17, 2025, 5:16 p.m.		1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

gamwtonxristo.ddns.net

Performs some HTTP requests (1 event)

request

GET http://ip-api.com/json/

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72841000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72842000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02110000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2025, 5:16 p.m.	process_identifier: 1692 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 10 localhost
cmdline	chcp 65001

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2956 resumed a thread in remote process 1692
NtResumeThread Jan. 17, 2025, 5:16 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 1692	1	0	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.MSIL.Agent.mCnJ
MicroWorld-eScan	Generic.MSIL.PasswordStealerA.5BBF9CD0
CAT-QuickHeal	Trojan.Ghanarava.1737091955c3205c
Skyhigh	PWS-FCOI!4E7B96FE3160
ALYac	Generic.MSIL.PasswordStealerA.5BBF9CD0
Cylance	Unsafe
VIPRE	Generic.MSIL.PasswordStealerA.5BBF9CD0
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.MSIL.PasswordStealerA.5BBF9CD0
K7GW	Trojan ( 00521dab1 )
K7AntiVirus	Trojan ( 00521dab1 )
Arcabit	Generic.MSIL.PasswordStealerA.5BBF9CD0
VirIT	Trojan.Win32.MSIL_Heur.B
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Quasarrat
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
APEX	Malicious
Avast	MSIL:Rat-B [Trj]
Kaspersky	Trojan.MSIL.Agent.foww
Alibaba	Backdoor:MSIL/QuasarRAT.afa3ce65
NANO-Antivirus	Trojan.Win32.Ric.fplkvu
Rising	Backdoor.xRAT!1.D01D (CLASSIC)
Emsisoft	Generic.MSIL.PasswordStealerA.5BBF9CD0 (B)
F-Secure	Trojan:w32/QuasarRAT.A1
DrWeb	Trojan.DownLoader27.59888
Zillya	Trojan.Agent.Win32.1091313
TrendMicro	TSPY_TINCLEX.SM1
McAfeeD	ti!E698A786C4DC
CTX	exe.trojan.msil
Sophos	ATK/Zaquar-D
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4e7b96fe3160ff17
Jiangmin	Trojan.Generic.ajfvk
Google	Detected
Avira	HEUR/AGEN.1307329
Antiy-AVL	Trojan/MSIL.Agent
Kingsoft	MSIL.Trojan.Agent.foww
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
GData	MSIL.Backdoor.Quasar.D
Varist	W32/MSIL_Mintluks.A.gen!Eldorado
AhnLab-V3	Trojan/Win32.Xiclog.C2265746
McAfee	PWS-FCOI!4E7B96FE3160
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Quasar.Heur
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Backdoor.QuasarRat
Panda	Trj/CI.A

ogpayload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All