Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 5, 2025, 10:09 a.m.	March 5, 2025, 10:11 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`868c0a40cf4219a47ee081ade911a8f7`
SHA256	`94f7b6ca0c9eb367ba69c62ae590111956785e1478311ac55f7af0f262b0eb63`
CRC32	`ADDA7301`
ssdeep	`24576:fu6J33O0c+JY5UZ+XC0kGso6Fa6iD/V0OqNtyUrgWY:pu0c++OCvkGs9Fa6I0OCXY`
Yara	Malicious_Library_Zero - Malicious_Library Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero Device_Check_Zero - Device Check Zero IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

cssess.exe "C:\Users\test22\AppData\Local\Temp\cssess.exe"
2556
- svchost.exe "C:\Users\test22\AppData\Local\Temp\cssess.exe"
  2656
calc.exe "C:\Windows\SysWOW64\calc.exe"
2736
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  3004
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.statusq.studio	CNAME statusq.studio A 13.248.243.5	13.248.243.5
www.vaishnavi.xyz	A 92.204.40.98	92.204.40.98
www.needethereum.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.multo.xyz	A 76.223.54.146 A 13.248.169.48	13.248.169.48
www.jplttj.info	A 47.83.1.90	47.83.1.90
www.temecula.deals	A 3.33.130.190 A 15.197.148.33 CNAME temecula.deals	15.197.148.33
www.pond-magic.shop	CNAME pond-magic.shop A 15.197.148.33 A 3.33.130.190	15.197.148.33
www.anartisthuman.info	A 208.91.197.27	208.91.197.27
www.zeniow.xyz	A 209.74.77.230	209.74.77.230
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.agistaking.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48

IP Address	Status	Action
13.248.169.48	Active	Moloch
13.248.243.5	Active	Moloch
15.197.148.33	Active	Moloch
164.124.101.2	Active	Moloch
208.91.197.27	Active	Moloch
209.74.77.230	Active	Moloch
3.33.130.190	Active	Moloch
45.33.6.223	Active	Moloch
47.83.1.90	Active	Moloch
76.223.54.146	Active	Moloch
92.204.40.98	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 5, 2025, 10:09 a.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 5, 2025, 10:09 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 5, 2025, 10:09 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ba000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 5, 2025, 10:09 a.m.	process_identifier: 2656 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 5, 2025, 10:09 a.m.	process_identifier: 2736 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02170000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 5, 2025, 10:10 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

calc.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005be00', u'virtual_address': u'0x000c7000', u'entropy': 7.901697480570351, u'name': u'.rsrc', u'virtual_size': u'0x0005bdbc'}

entropy

7.90169748057

description

A section with a high entropy has been found

entropy

0.314505776637

description

Overall entropy of this PE file is high

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 5, 2025, 10:09 a.m.	thread_identifier: 2660 thread_handle: 0x0000012c process_identifier: 2656 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\cssess.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000128	1	1	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread March 5, 2025, 10:09 a.m.	registers.eip: 1995571652 registers.esp: 2292040 registers.edi: 0 registers.eax: 4199360 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000012c process_identifier: 2656	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Autoit.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.174107623811a8f7
Skyhigh	BehavesLike.Win32.Formbook.tc
Cylance	Unsafe
VIPRE	Trojan.GenericKD.75928506
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75928506
Arcabit	Trojan.Generic.D48693BA
VirIT	Trojan.Win32.AutoIt_Heur.L
Symantec	Trojan.Malautoit!g7
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.Autoit.GXN
APEX	Malicious
Avast	Script:SNH-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/AutoitInject.d6aa8bff
MicroWorld-eScan	Trojan.GenericKD.75928506
Rising	Trojan.Injector/Autoit!1.1294D (CLASSIC)
Emsisoft	Trojan.GenericKD.75928506 (B)
F-Secure	Trojan.TR/AutoIt.yqokl
McAfeeD	ti!94F7B6CA0C9E
CTX	exe.trojan.autoit
Sophos	Mal/Generic-S
FireEye	Generic.mg.868c0a40cf4219a4
Google	Detected
Avira	TR/AutoIt.yqokl
Antiy-AVL	Trojan/Win32.AutoitInject
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win32.Zbot.sa
Microsoft	Trojan:Win32/AutoitInject!rfn
ViRobot	Trojan.Win.Z.Netwiredrc.1197568
GData	Win32.Trojan.Agent.4QD5WU
Varist	W32/AutoIt.YQ.gen!Eldorado
AhnLab-V3	Trojan/AU3.Loader.S2970
McAfee	Artemis!868C0A40CF42
DeepInstinct	MALICIOUS
VBA32	Trojan.Autoit.Paket
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
Ikarus	Trojan.Win32.Injector
Panda	Trj/CI.A
Zoner	Trojan.Win32.179540
TrendMicro-HouseCall	TROJ_GEN.R06CH01C325
Tencent	Script.Trojan.Generic.Ekjl
huorong	HEUR:TrojanSpy/AutoIT.Stealer.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector_Autoit.GXN!tr
AVG	Script:SNH-gen [Trj]

cssess.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All