Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 15, 2021, 4:58 p.m.	March 15, 2021, 5 p.m.

Size	154.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`d06fb902ada1dcc76a186526c8db519b`
SHA256	`dff67ae0837d545f7f7f553f09ef3c1aa7dbe3674188cecda3e18e214a79b483`
CRC32	`D6A75566`
ssdeep	`3072:rPKubXVLcIcEYcyMXrvp7hduCAlFyvRJlcGRprOr8aqhGn8CQZ0Kip0Yt:rPKyLLLXrv4KvRPN7OrzWtZFip0Yt`
Yara	PE_Header_Zero - PE File Signature Zero Generic_Malware_Zero - Generic Malware escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_private_profile - Affect private profile win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasRichSignature - Rich Signature Check

winlog2.exe "C:\Users\test22\AppData\Local\Temp\winlog2.exe"
2648
- winlog2.exe "C:\Users\test22\AppData\Local\Temp\winlog2.exe"
  2428

Name	Response	Post-Analysis Lookup
seafirst-kr.com	A 52.6.206.192	52.6.206.192

IP Address	Status	Action
164.124.101.2	Active	Moloch
52.6.206.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49203 -> 52.6.206.192:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 52.6.206.192:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 52.6.206.192:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49203 -> 52.6.206.192:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 15, 2021, 4:58 p.m.	computer_name: TEST22-PC	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 15, 2021, 4:58 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used

suspicious_request

POST http://seafirst-kr.com/zoro/zoro5/fre.php

Performs some HTTP requests (1 event)

request

POST http://seafirst-kr.com/zoro/zoro5/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://seafirst-kr.com/zoro/zoro5/fre.php

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsn6338.tmp\u8nbv.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsn6338.tmp\u8nbv.dll

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW March 15, 2021, 4:58 p.m.	snapshot_handle: 0x000001e8 process_name: taskhost.exe process_identifier: 2984	1	1	0
Process32NextW March 15, 2021, 4:58 p.m.	snapshot_handle: 0x000001e8 process_name: winlog2.exe process_identifier: 2648	1	1	0

Potentially malicious URLs were found in the process memory dump (5 events)

url	http://purl.org/rss/1.0/
url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://nsis.sf.net/NSIS_Error
url	http://www.passport.com
url	http://www.ibsensoftware.com/

Yara rule detected in process memory (44 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Harvests credentials from local email clients (3 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2648 called NtSetContextThread to modify thread in remote process 2428
NtSetContextThread March 15, 2021, 4:58 p.m.	registers.eip: 2000355780 registers.esp: 1638384 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000021c process_identifier: 2428	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Barys.112835
FireEye	Generic.mg.d06fb902ada1dcc7
ALYac	Gen:Variant.Barys.112835
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Backdoor:Win32/Androm.91f3d7cb
K7GW	Trojan ( 005790e61 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/Injector.AFV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
TrendMicro-HouseCall	TROJ_GEN.R002H0CCC21
Avast	Win32:InjectorX-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
BitDefender	Gen:Variant.Barys.112835
Paloalto	generic.ml
APEX	Malicious
Ad-Aware	Gen:Variant.Barys.112835
Emsisoft	Gen:Variant.Barys.112835 (B)
DrWeb	Trojan.PWS.Siggen2.62814
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Vopak.cc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
ESET-NOD32	a variant of Win32/Injector.EOVH
Avira	TR/AD.LokiBot.btkar
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/AgentTesla.PC!MTB
Gridinsoft	Trojan.Win32.Downloader.oa
AegisLab	Trojan.Win32.Androm.m!c
GData	Gen:Variant.Barys.112835
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Nsis.C4371168
McAfee	RDN/Generic.cf
MAX	malware (ai score=100)
Malwarebytes	Trojan.Dropper.NSIS
Rising	Trojan.Injector!8.C4 (CLOUD)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/Injector.AFS!tr
AVG	Win32:InjectorX-gen [Trj]
Cybereason	malicious.25fd2c
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.LokiBot.HoMASQsA

winlog2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All