Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2021, 3:21 p.m.	March 9, 2021, 3:23 p.m.

Size	439.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`94016e834271793465e36252c9d2f73e`
SHA256	`3165b8d9ba511ac3f03f759a1cd159f268bbe7600eb9949cfd60142acecb25eb`
CRC32	`95FEAF85`
ssdeep	`6144:fVLR9m5AiNLMZl08H7vYZQ+UPnynkJjSy0yxQcGCMs:fVdGkNHkG+Gny2S8QU`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check win_mutex - Create or check mutex win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero

st.exe "C:\Users\test22\AppData\Local\Temp\st.exe"
3016
- st.exe "C:\Users\test22\AppData\Local\Temp\st.exe"
  1452

Name	Response	Post-Analysis Lookup
api.ipify.org	A 50.19.96.218 A 23.21.140.41 A 23.21.252.4 A 50.19.242.215 CNAME nagano-19599.herokussl.com A 54.225.129.141 A 50.19.252.36 A 54.221.253.252 A 23.21.126.66 CNAME elb097307-934924932.us-east-1.elb.amazonaws.com	54.235.189.250

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.67.231.4	Active	Moloch
50.19.252.36	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 50.19.252.36:80	2029622	ET POLICY External IP Lookup (ipify .org)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2021, 3:21 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.yuwufud

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://api.ipify.org/?format=xml

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 3016 region_size: 155648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 3016 region_size: 278528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

api.ipify.org

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002b000', u'virtual_address': u'0x00010000', u'entropy': 7.576774463773192, u'name': u'.data', u'virtual_size': u'0x001a3f08'}

entropy

7.57677446377

description

A section with a high entropy has been found

entropy

0.392694063927

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (50 out of 991 events)

url	https://ssl.pstatic.net/tveta/libs/1287/1287046/6df1cc02334922baa2d4_20200806172035021.jpg
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	https://fonts.gstatic.com/s/lato/v16/S6uyw4BMUTPHjx4wWA.woff
url	http://google.com/
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://search.naver.com/search.naver?sm=tab_hty.top
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjd5a7dvQ.woff
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	https://castbox.shopping.naver.com/js/lazyload.js
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/825.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/327.png
url	https://fonts.gstatic.com/s/catamaran/v7/o-0bIpQoyXQa2RxT7-5B6Ryxs2E_6n1iPHjc5a7dvQ.woff
url	http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
url	http://www.e-szigno.hu/SZSZ/0
url	https://mail.naver.com/js_src/com/nhncorp/mail/write/se2_new/smart_editor2_inputarea_ie8.html?version=20190704
url	https://static.nid.naver.com/loginv3/img/sp_login_20150113.gif
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/031.png
url	https://tpc.googlesyndication.com/pagead/images/abg/icon.png
url	http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
url	http://www.quovadis.bm0
url	http://crl.securetrust.com/STCA.crl0
url	https://search.pstatic.net/common/?src=http%3A%2F%2Fcafefiles.naver.net%2FMjAxNzExMDdfODcg%2FMDAxNTEwMDY0OTYzNTA5.y-bJj3BgRC8r80hM6EblWFHSqawqo5-vMJAzHBN6rEkg.vAPtUzoeY8mHPRaMuejD3HrMtW5xgv-cdeEaAc0q2Rog.PNG.flashcs7%2FScreenshot_2017-11-07-22-55-08.png%23600x1024
url	https://www.gstatic.com/m/images/sy_stars_9.gif
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/dragdrop.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://phinf.pstatic.net/contact/20190113_166/1547312816315t3o9l_JPEG/image.JPEG?type=s80

Yara rule detected in process memory (50 out of 102 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Take screenshot	rule	screenshot
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over Toredo network	rule	network_toredo
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI

Communicates with host for which no DNS query was performed (1 event)

host

45.67.231.4

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 1452 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 9, 2021, 3:21 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1452 process_handle: 0x00000080	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 called NtSetContextThread to modify thread in remote process 1452
NtSetContextThread March 9, 2021, 3:21 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199552 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1452	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 resumed a thread in remote process 1452
NtResumeThread March 9, 2021, 3:21 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1452	1	0	0

Executed a process and injected code into it, probably while unpacking (7 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 9, 2021, 3:21 p.m.	thread_identifier: 1812 thread_handle: 0x0000007c process_identifier: 1452 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\st.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\st.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\st.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread March 9, 2021, 3:21 p.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection March 9, 2021, 3:21 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1452 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory March 9, 2021, 3:21 p.m.	process_identifier: 1452 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory March 9, 2021, 3:21 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1452 process_handle: 0x00000080	1	1
NtSetContextThread March 9, 2021, 3:21 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4199552 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 1452	1	0
NtResumeThread March 9, 2021, 3:21 p.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 1452	1	0

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	DeepScan:Generic.Andromeda.A9DBC031
FireEye	Generic.mg.94016e8342717934
ALYac	DeepScan:Generic.Andromeda.A9DBC031
Cylance	Unsafe
Zillya	Trojan.Tepfer.Win32.94290
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00573e301 )
Alibaba	TrojanPSW:Win32/Kryptik.9cc75cc5
K7GW	Trojan ( 00573e301 )
Cybereason	malicious.342717
Arcabit	DeepScan:Generic.Andromeda.A9DBC031
Cyren	W32/Kryptik.CON.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
ClamAV	Win.Packed.Mint-9812519-0
Kaspersky	HEUR:Trojan-PSW.Win32.Tepfer.gen
BitDefender	DeepScan:Generic.Andromeda.A9DBC031
NANO-Antivirus	Trojan.Win32.Tepfer.igirvk
Paloalto	generic.ml
Rising	Trojan.Kryptik!1.CF77 (CLOUD)
Ad-Aware	DeepScan:Generic.Andromeda.A9DBC031
Sophos	Mal/Generic-R + Troj/AutoG-KJ
Comodo	Malware@#20ancth38ve6o
F-Secure	Trojan.TR/Crypt.Agent.clrko
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0WKT20
McAfee-GW-Edition	BehavesLike.Win32.Swisyn.gm
Emsisoft	Trojan.Crypt (A)
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Agent.czuv
Webroot	W32.Trojan.ProcessHijack.By1@aq
Avira	TR/Crypt.Agent.clrko
Antiy-AVL	Trojan[PSW]/Win32.Tepfer
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.oa
Microsoft	Trojan:Win32/Azorult.FW!rfn
ZoneAlarm	HEUR:Trojan-PSW.Win32.Tepfer.gen
GData	DeepScan:Generic.Andromeda.A9DBC031
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Glupteba.R356808
Acronis	suspicious
McAfee	Lockbit-GCZ!94016E834271
MAX	malware (ai score=87)
VBA32	BScope.Exploit.Shellcode
Malwarebytes	Glupteba.Backdoor.Bruteforce.DDS
ESET-NOD32	a variant of Win32/Kryptik.HHUR
TrendMicro-HouseCall	TROJ_GEN.R002C0WKT20

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (41 events)

dead_host	192.168.56.101:49222
dead_host	192.168.56.101:49231
dead_host	192.168.56.101:49233
dead_host	192.168.56.101:49211
dead_host	192.168.56.101:49242
dead_host	192.168.56.101:49206
dead_host	192.168.56.101:49219
dead_host	192.168.56.101:49237
dead_host	192.168.56.101:49215
dead_host	192.168.56.101:49223
dead_host	192.168.56.101:49224
dead_host	192.168.56.101:49234
dead_host	192.168.56.101:49243
dead_host	192.168.56.101:49207
dead_host	192.168.56.101:49228
dead_host	192.168.56.101:49238
dead_host	192.168.56.101:49208
dead_host	192.168.56.101:49216
dead_host	192.168.56.101:49212
dead_host	192.168.56.101:49225
dead_host	192.168.56.101:49235
dead_host	192.168.56.101:49220
dead_host	192.168.56.101:49229
dead_host	192.168.56.101:49239
dead_host	192.168.56.101:49209
dead_host	192.168.56.101:49240
dead_host	192.168.56.101:49217
dead_host	192.168.56.101:49213
dead_host	192.168.56.101:49226
dead_host	192.168.56.101:49244
dead_host	192.168.56.101:49221
dead_host	192.168.56.101:49230
dead_host	192.168.56.101:49232
dead_host	192.168.56.101:49210
dead_host	45.67.231.4:80
dead_host	192.168.56.101:49241
dead_host	192.168.56.101:49205
dead_host	192.168.56.101:49218
dead_host	192.168.56.101:49236
dead_host	192.168.56.101:49214
dead_host	192.168.56.101:49227

st.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All