Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 27, 2025, 10:26 a.m.	March 27, 2025, 10:30 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d444a977328b0f1b5e792a794ccd9fd0`
SHA256	`07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150`
CRC32	`8A17D6F6`
ssdeep	`24576:ru6J33O0c+JY5UZ+XC0kGso6FajYuNaeNAymutbrfYJfIcWY:Fu0c++OCvkGs9FajYulNZvJUfiY`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero Process_Snapshot_Kill_Zero - Process Kill Zero IsPE32 - (no description) Device_Check_Zero - Device Check Zero Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

smss.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
2548
- svchost.exe "C:\Users\test22\AppData\Local\Temp\smss.exe"
  2656
AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
2764
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  744
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
www.855696a.xyz	CNAME ns195.l4y.cn A 45.119.52.125	45.119.52.125
www.thykingdomwear.store	A 75.2.103.23	75.2.103.23
www.headset2.online	A 156.237.132.252	156.237.132.252
www.vczuahand.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.futureedge.website	A 159.198.64.72	159.198.64.72
www.blackhat.chat	A 52.223.13.41	52.223.13.41
www.soportemx-findmy.click	A 96.126.123.244 A 198.58.118.167 A 45.33.30.197 A 45.33.23.183 A 45.79.19.196 A 72.14.185.43 A 72.14.178.174 A 45.33.20.235 A 45.56.79.23 A 45.33.2.79 A 45.33.18.44 A 173.255.194.134	72.14.185.43
www.worrr37.yachts	A 149.104.1.185	149.104.1.185
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
13.248.169.48	Active	Moloch
149.104.1.185	Active	Moloch
156.237.132.252	Active	Moloch
159.198.64.72	Active	Moloch
164.124.101.2	Active	Moloch
45.119.52.125	Active	Moloch
45.33.2.79	Active	Moloch
45.33.6.223	Active	Moloch
52.223.13.41	Active	Moloch
75.2.103.23	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 27, 2025, 10:26 a.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (16 events)

request	POST http://www.thykingdomwear.store/d4kl/
request	GET http://www.thykingdomwear.store/d4kl/?I6R=6y/7tod/VF/KHUQrV86FV1ihe0BbPNGslXhDnWhvAY/z/yk3pdRRQF6GYRzEXLwzPkLfgXQPYCfY/S6T4WCCHwFD6OSGGyFNlaGQyl1+3f4SIz7ZLJZ5qpg0iEyExcTa0BsdMD8=&ljR=Iz85YQJnHWZHac
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
request	POST http://www.worrr37.yachts/1imc/
request	GET http://www.worrr37.yachts/1imc/?I6R=GkZ+7lZN5ZbT6rZAkp7cmEqKOumTFqiR2eAXidPe90Y9rybDHdv8WEO3bqVeNbApXiU349333fnXtngssFNkiuaTeAutzCI3gCL6zAngbJ7QtBnn/nQUnSrlmVSOL2qjs5+ApuY=&ljR=Iz85YQJnHWZHac
request	POST http://www.soportemx-findmy.click/ma0g/
request	GET http://www.soportemx-findmy.click/ma0g/?I6R=H2S90RmziCMvLCuKzCWRDlD3y3BtNHnT+UjWuF5QkK5TSoHa4lhKfuVBBY/xZDIxlQkHSEeXC/2MO32woOoJhNRwlvINmE2f4iVb+1X59xwMoslpnGs7ObjFC0D//e/oO9N1DbU=&ljR=Iz85YQJnHWZHac
request	POST http://www.blackhat.chat/04r3/
request	GET http://www.blackhat.chat/04r3/?I6R=n6ptdLvBCapBX+1fElutzba0a7uE9eG0wfWRjljnFiAjsKOl5dK9teWSxudrp/fd2hdpq33fNLGhTnjbgPmmmscCvJyHpqpFiDM0gpsTKvcGZKjqIPo/V0Z/+sXcSCfPLWsGCsk=&ljR=Iz85YQJnHWZHac
request	POST http://www.vczuahand.xyz/lvz4/
request	GET http://www.vczuahand.xyz/lvz4/?I6R=Xs1PCb/MaYPIPAxC7BfyCKw16Qgph55MCQOIGo7Nl8rFa4QZz+K5W1hPLI1607tRp9GgCJ7X+mzA4XqXnNSoEuvlRvhKlR8DhXdkfyq/HZqiPbu8fNkzPsjR0Pgy51mK7LA9YuI=&ljR=Iz85YQJnHWZHac
request	POST http://www.855696a.xyz/q86a/
request	GET http://www.855696a.xyz/q86a/?I6R=1RS/DLESjC/mKKX8IPepHWQ88RxDP1aCo7MGFq+OZJ2Pg2HsdXdlT2xsvmE392eXqb9P0SMm051Cq8Esu/QKUYNbRkYSrCwvHfCGfAn42Vd7BejAa9lxaTExsZlL8Og3FAv4dqc=&ljR=Iz85YQJnHWZHac
request	POST http://www.headset2.online/pl23/
request	GET http://www.headset2.online/pl23/?I6R=pwQm/8Nry++CWhwQEObW40wjaH0cvm6b9cWiDzs/wKG7gU2SU1fIKPFVOtmRZIK9fJNQxDIjM5M/HYIVgiqppyTz/0XbM+5YC9JKCqzZT3SFByiwC2iSKSo+zn41b6GRTqaovhk=&ljR=Iz85YQJnHWZHac
request	POST http://www.futureedge.website/q4wg/

Sends data using the HTTP POST Method (8 events)

request	POST http://www.thykingdomwear.store/d4kl/
request	POST http://www.worrr37.yachts/1imc/
request	POST http://www.soportemx-findmy.click/ma0g/
request	POST http://www.blackhat.chat/04r3/
request	POST http://www.vczuahand.xyz/lvz4/
request	POST http://www.855696a.xyz/q86a/
request	POST http://www.headset2.online/pl23/
request	POST http://www.futureedge.website/q4wg/

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ee000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2656 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2764 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 27, 2025, 10:27 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

AtBroker.exe tried to sleep 153 seconds, actually delayed analysis time by 153 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005bc00', u'virtual_address': u'0x000c7000', u'entropy': 7.89632070140917, u'name': u'.rsrc', u'virtual_size': u'0x0005ba58'}

entropy

7.89632070141

description

A section with a high entropy has been found

entropy

0.314212328767

description

Overall entropy of this PE file is high

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 27, 2025, 10:26 a.m.	thread_identifier: 2660 thread_handle: 0x0000013c process_identifier: 2656 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\smss.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000138	1	1	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2656
NtSetContextThread March 27, 2025, 10:26 a.m.	registers.eip: 1995571652 registers.esp: 2031512 registers.edi: 0 registers.eax: 4199712 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000013c process_identifier: 2656	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.AutoIt.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	TrojanPWS.AutoIt.Zbot.S
Skyhigh	BehavesLike.Win32.Formbook.tc
Cylance	Unsafe
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
VirIT	Trojan.Win32.AutoIt_Heur.L
Symantec	Trojan.Malautoit!g7
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	FileRepMalware [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Script/Injector.b8fdf53f
Rising	Trojan.Injector/Autoit!1.1294D (CLASSIC)
F-Secure	Trojan.TR/AD.Swotter.mzyvw
DrWeb	Trojan.AutoIt.1626
TrendMicro	TROJ_GEN.R06CC0DCQ25
McAfeeD	ti!07610C4FDA6B
CTX	exe.trojan.autoit
Sophos	Mal/AuItInj-C
Google	Detected
Avira	TR/AD.Swotter.mzyvw
Kingsoft	malware.kb.a.833
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Phonzy.A!ml
ZoneAlarm	Mal/AuItInj-D
GData	Win32.Trojan.Agent.IOQYDQ
Varist	W32/AutoIt.QG.gen!Eldorado
AhnLab-V3	Trojan/AU3.Loader.S2970
McAfee	Artemis!D444A977328B
DeepInstinct	MALICIOUS
Malwarebytes	Backdoor.NetWiredRC.AutoIt.Generic
Ikarus	Trojan.Autoit
Zoner	Trojan.Win32.179540
TrendMicro-HouseCall	TROJ_GEN.R06CC0DCQ25
Tencent	Script.Trojan.Generic.Rzfl
huorong	HEUR:TrojanSpy/AutoIT.Stealer.a
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Injector.GKX!tr
AVG	FileRepMalware [Trj]
alibabacloud	Trojan:Win/AutoitInject.ZJC2XJC

smss.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All