Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 19, 2025, 11:22 a.m.	Feb. 19, 2025, 11:30 a.m.

Size	282.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`40a3b67a99299a4f0f3a352b4f7739c9`
SHA256	`809b7be978ee80d9b15169c9cc55a568b1a310879a4e024069f1e338470a04c9`
CRC32	`CEC0A9AC`
ssdeep	`6144:jh1qx/eWzTVfGA76zxOJwldxd6DVMZ1X3sMFgNQRQIeSTFzTwis:l1O/eWfQRxdUIgNQuIXPls`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

ik.exe "C:\Users\test22\AppData\Local\Temp\ik.exe"
2564
icacls.exe "C:\Windows\SysWOW64\icacls.exe"
2792
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2104
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.82765.ltd	A 103.42.144.142 A 43.251.56.161 A 103.117.135.13 CNAME an05-prod-x.cdn-ng.net
www.rds845.shop	A 148.72.247.70 CNAME rds845.shop
www.zkderby.xyz	A 76.223.54.146 A 13.248.169.48
www.blissfuljo.life	A 162.0.225.218
www.031234103.xyz	A 144.76.229.203 CNAME 031234103.xyz
www.bjogo.top	A 156.224.194.237
www.sqlite.org	A 45.33.6.223
www.birbacher.online	CNAME birbacher.online A 217.160.0.24

IP Address	Status	Action
103.42.144.142	Active	Moloch
144.76.229.203	Active	Moloch
148.72.247.70	Active	Moloch
156.224.194.237	Active	Moloch
162.0.225.218	Active	Moloch
164.124.101.2	Active	Moloch
217.160.0.24	Active	Moloch
45.33.6.223	Active	Moloch
76.223.54.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 162.0.225.218:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 156.224.194.237:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 144.76.229.203:80	2031189	ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing	Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 162.0.225.218:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (15 events)

request	POST http://www.rds845.shop/h0nr/
request	GET http://www.rds845.shop/h0nr/?Rmyfu=5SMA7S/38P4RaRgCp3VO1tw2rROs9wah4HH5Q6yYr3Nu4ZqcK75SUzG8TXPdlVkL75Uc/7uyt+ZBxF8Sx8kUuaqQBEx7a3bwhtWi8pbBN6KWtUApBidRHQ/G3KkasTH6o4wmaSg=&3K=dJI58bJxQ
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
request	POST http://www.82765.ltd/59d5/
request	GET http://www.82765.ltd/59d5/?Rmyfu=qiWz9HwqJLKnYi7JlC6qkRM9oNVOe4dAvB5Yj2dX6M9d0oXA3FTQuLckJRO7ZlKIhJbHCMmlfOuDN9YpFc7H3lclNb/Uy7Zdu1Mg4MyeDmJL6C9SantxWX3ypDcfwQ2eRaZ57U8=&3K=dJI58bJxQ
request	POST http://www.blissfuljo.life/p8fe/
request	GET http://www.blissfuljo.life/p8fe/?Rmyfu=nweR1c0XBtkzZggi0v3dr9kB4xCEwoCGMBQNH/aYwX8LuhjLbL5HUgqXwTet0aQ44oxYgp72GiDpetq5GT3VFYsxr5RBWjhs308QLFo3+dsZTQkp8hunF2AzxzIui5HbDfaQI0w=&3K=dJI58bJxQ
request	POST http://www.031234103.xyz/6gd2/
request	GET http://www.031234103.xyz/6gd2/?Rmyfu=eDwP/8dm6CwnhXuB5IJF6tcmrP8qMyRusivP8vJ/CAl0CGhAGK7mzvA4v30eghRxdOMQU1afgYEQdjgAooUx1K4I/phOYtNowfmzMvro50gabBLkO4mInrSdt2aBNeYGRLrQQ4U=&3K=dJI58bJxQ
request	POST http://www.zkderby.xyz/bqyq/
request	GET http://www.zkderby.xyz/bqyq/?Rmyfu=Z6W2Due/iFNSY6roA058AuqdLgygAHlj29B3DLhDfw5gzakQrGCVCfu5pLO3yHC2Q5prfxENXL60nad/MKUoC8UQrxa2M0+WRd3DYf4bgsYWClNewfklrWL3J7GXJ+tZq73l4I4=&3K=dJI58bJxQ
request	POST http://www.bjogo.top/0ekp/
request	GET http://www.bjogo.top/0ekp/?Rmyfu=pV4l2sJ5SKTfO2UKe3vpYQms7oDV9Z1ZTd//bSk12oBNtulDh+GDNLKspI2ybbM6Ulb9MujLBOrC2bz5gPibbXkxWVg5NcqV4sd6rfkPD23v8QrCPt85paxIo96ZJG6eSxv1+xA=&3K=dJI58bJxQ
request	POST http://www.birbacher.online/os5r/
request	GET http://www.birbacher.online/os5r/?Rmyfu=231uHx8vc2OXjfRp9MqGfmAfw0ORoc0FHs1yPQI+Y8FHV11jaHQ2ftygF7Z20+LhG+hwvpvPffWcTqqpG/gNLui17mhEo7YUi96xAksmd+3++erClo3DLaj5tFD9ebrkUZzk9Dk=&3K=dJI58bJxQ

Sends data using the HTTP POST Method (7 events)

request	POST http://www.rds845.shop/h0nr/
request	POST http://www.82765.ltd/59d5/
request	POST http://www.blissfuljo.life/p8fe/
request	POST http://www.031234103.xyz/6gd2/
request	POST http://www.zkderby.xyz/bqyq/
request	POST http://www.bjogo.top/0ekp/
request	POST http://www.birbacher.online/os5r/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.bjogo.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 278528 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b33000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b31000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2564 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 11:22 a.m.	process_identifier: 2792 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 19, 2025, 11:23 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000047b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

icacls.exe tried to sleep 138 seconds, actually delayed analysis time by 138 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00045800', u'virtual_address': u'0x00001000', u'entropy': 7.9946472254209695, u'name': u'.text', u'virtual_size': u'0x00045644'}

entropy

7.99464722542

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

ik.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All