Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 12, 2025, 11:25 a.m.	March 12, 2025, 11:29 a.m.

Size	41.5KB
Type	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
MD5	`bb0970d3af844bdb3252e4d471f1bf7a`
SHA256	`0e5a52ab7b26d9c7cc4f617cd9ab7a3603cd0c151ec7c5de7808c48c8d274e9c`
CRC32	`B1C76F1E`
ssdeep	`768:7zeNUS1Ex8/m3183PMEGnR7SbBJkC6w9dk1Xw8TO:n3SOC/C2EEGnBS3kC6wrk1A8S`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dLDFydA" C:\Users\test22\AppData\Local\Temp\GoldAge3ATOm68k
1476
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\GoldAge3ATOm68k
  2112
  - editplus.exe "editplus.exe"
    2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.33.6.223	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 12, 2025, 11:25 a.m.			0	0
IsDebuggerPresent March 12, 2025, 11:25 a.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 12, 2025, 11:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74191000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74391000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74091000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 12, 2025, 11:25 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74301000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

45.33.6.223

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1476 resumed a thread in remote process 2112
NtResumeThread March 12, 2025, 11:25 a.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2112	1	0	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Lionic	Trojan.Linux.Mirai.K!c
Cynet	Malicious (score: 99)
CTX	elf.trojan.mirai
Skyhigh	Linux/mirai.d
ALYac	Trojan.Linux.Mirai.1
VIPRE	Trojan.Linux.Mirai.1
Sangfor	Suspicious.Linux.Save.a
Arcabit	Trojan.Linux.Mirai.1
VirIT	Linux.Mirai.YF
Symantec	Linux.Mirai!g2
ESET-NOD32	a variant of Linux/Mirai.BC
TrendMicro-HouseCall	Possible_MIRAI.SMLBO14
Avast	ELF:Mirai-JW [Trj]
ClamAV	Unix.Trojan.Mirai-6981989-0
Kaspersky	HEUR:Backdoor.Linux.Mirai.ba
BitDefender	Trojan.Linux.Mirai.1
MicroWorld-eScan	Trojan.Linux.Mirai.1
Rising	Backdoor.Mirai/Linux!1.128EC (CLASSIC)
Emsisoft	Trojan.Linux.Mirai.1 (B)
F-Secure	Exploit.EXP/ELF.Mirai.Bootnet.o
DrWeb	Linux.Mirai.629
TrendMicro	Possible_MIRAI.SMLBO14
Sophos	Linux/DDoS-CI
Ikarus	Trojan.Linux.Mirai
FireEye	Trojan.Linux.Mirai.1
Google	Detected
Avira	EXP/ELF.Mirai.Bootnet.o
Antiy-AVL	Trojan[Backdoor]/Linux.Mirai.ba
Microsoft	Backdoor:Linux/Mirai.BO!xp
ZoneAlarm	Linux/DDoS-CI
Avast-Mobile	ELF:Mirai-KL [Trj]
GData	Linux.Trojan.Mirai.J
Varist	E32/ABApplication.POT
AhnLab-V3	Linux/Mirai.Gen3
McAfee	Linux/mirai.d
Tencent	Backdoor.Linux.Mirai.wba
huorong	Trojan/Linux.Mirai.d
Fortinet	ELF/Mirai.AT!tr
AVG	ELF:Mirai-JW [Trj]
alibabacloud	Trojan:Linux/Mirai.O

GoldAge3ATOm68k

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All