Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.06.29 10:31	Machine	s1_win7_x6401
Filename	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	7	Behavior Score	6.8
ZERO API	file : clean
VT API (file)	59 detected (AIDetect, malware1, malicious, high confidence, Stantinko, NetFilter, Redcap, Razy, GXDA, score, Dwju, Malware@#wv4raa3b2g59, DownLoader38, FETNILTER, Gorf, dfmd, npxau, ai score=88, ASMalwS, kcloud, Ransomware, Unsafe, CLASSIC, Hl39d0P, Static AI, Suspicious PE, InvalidSig, GdSda, confidence, 100%, susgen)
md5	145e3c224e4ecaf26d4638efb9d622a7
sha256	9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89
ssdeep	6144:+zhRwaGlf2ofbRuNPMxJZWWXR6UVUmxTOdbRnveIks9HRizWtlJVv:+zLE3TRuNP8cU0UVUCINWns9QW/JVv
imphash	70621d2ef55d2dd65a1fa41928fe3d0f
impfuzzy	48:Uk1pXOeCKx361AlhHOGcJOugpZqTE+GgVhre:53XTCKI1+hHOGcguAmfC

Network IP location

Signature (13cnts)

Level	Description
danger	File has been identified by 59 AntiVirus engines on VirusTotal as malicious
warning	Stops Windows services
watch	Communicates with host for which no DNS query was performed
watch	Installs itself for autorun at Windows startup
watch	Loads a driver
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process created a hidden window
notice	An executable file was downloaded by the process 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Yara rule detected in process memory
info	Command line console output was observed
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (17cnts)

Level	Name	Description	Collection
danger	MAL_Netfilter_Dropper_Jun_2021_1	Detect the dropper of Netfilter rootkit	binaries (download)
danger	MAL_Netfilter_Dropper_Jun_2021_1	Detect the dropper of Netfilter rootkit	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (2cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://45.113.202.180:608/d6 whois		CHINATELECOM JiangSu YangZhou IDC networkdescr: YangZhouJiangsu Province, P.R.China.	45.113.202.180		clean
45.113.202.180 whois		CHINATELECOM JiangSu YangZhou IDC networkdescr: YangZhouJiangsu Province, P.R.China.	45.113.202.180		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x4850d0 CloseHandle
0x4850d4 CompareStringW
0x4850d8 CreateFileA
0x4850dc CreateFileW
0x4850e0 CreateWaitableTimerA
0x4850e4 DecodePointer
0x4850e8 DeleteCriticalSection
0x4850ec DeleteFileA
0x4850f0 EnterCriticalSection
0x4850f4 ExitProcess
0x4850f8 FindClose
0x4850fc FindFirstFileExW
0x485100 FindNextFileW
0x485104 FlushFileBuffers
0x485108 FreeEnvironmentStringsW
0x48510c FreeLibrary
0x485110 GetACP
0x485114 GetCPInfo
0x485118 GetCommandLineA
0x48511c GetCommandLineW
0x485120 GetConsoleMode
0x485124 GetConsoleOutputCP
0x485128 GetCurrentProcess
0x48512c GetCurrentProcessId
0x485130 GetCurrentThreadId
0x485134 GetEnvironmentStringsW
0x485138 GetFileType
0x48513c GetLastError
0x485140 GetModuleFileNameW
0x485144 GetModuleHandleA
0x485148 GetModuleHandleExW
0x48514c GetModuleHandleW
0x485150 GetOEMCP
0x485154 GetProcAddress
0x485158 GetProcessHeap
0x48515c GetStartupInfoW
0x485160 GetStdHandle
0x485164 GetStringTypeW
0x485168 GetSystemTimeAsFileTime
0x48516c HeapAlloc
0x485170 HeapFree
0x485174 HeapReAlloc
0x485178 HeapSize
0x48517c InitializeCriticalSectionAndSpinCount
0x485180 InitializeSListHead
0x485184 IsDebuggerPresent
0x485188 IsProcessorFeaturePresent
0x48518c IsValidCodePage
0x485190 LCMapStringW
0x485194 LeaveCriticalSection
0x485198 LoadLibraryExW
0x48519c MultiByteToWideChar
0x4851a0 OpenFile
0x4851a4 QueryPerformanceCounter
0x4851a8 RaiseException
0x4851ac RtlUnwind
0x4851b0 SetEnvironmentVariableW
0x4851b4 SetFilePointerEx
0x4851b8 SetLastError
0x4851bc SetStdHandle
0x4851c0 SetUnhandledExceptionFilter
0x4851c4 SetWaitableTimer
0x4851c8 Sleep
0x4851cc TerminateProcess
0x4851d0 TlsAlloc
0x4851d4 TlsFree
0x4851d8 TlsGetValue
0x4851dc TlsSetValue
0x4851e0 UnhandledExceptionFilter
0x4851e4 WaitForSingleObject
0x4851e8 WideCharToMultiByte
0x4851ec WriteConsoleW
0x4851f0 WriteFile
0x4851f4 lstrlenW
SHELL32.dll
0x4851fc SHGetSpecialFolderPathA
0x485200 ShellExecuteExA
ADVAPI32.dll
0x485208 AdjustTokenPrivileges
0x48520c LookupPrivilegeValueW
0x485210 OpenProcessToken
0x485214 RegCloseKey
0x485218 RegCreateKeyExW
0x48521c RegQueryValueExW
USER32.dll
0x485224 DispatchMessageA
0x485228 MsgWaitForMultipleObjects
0x48522c PeekMessageA
0x485230 TranslateMessage
0x485234 wsprintfA
ntdll.dll
0x48523c NtLoadDriver
WININET.dll
0x485244 HttpOpenRequestA
0x485248 HttpQueryInfoA
0x48524c HttpSendRequestA
0x485250 InternetCloseHandle
0x485254 InternetConnectA
0x485258 InternetCrackUrlA
0x48525c InternetOpenA
0x485260 InternetReadFile

EAT(Export Address Table) is none

Report - 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.exe

Signature (13cnts)

Rules (17cnts)

Network (2cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure