Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.07.31 13:46	Machine	s1_win7_x6401
Filename	clip.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	3	Behavior Score	9.6
ZERO API	file : malware
VT API (file)	26 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Unsafe, Attribute, HighConfidence, GenKryptik, FIFC, Remcos, RATX, Generic@ML, RDML, HCCJj7u19eeMwfheZTzdiA, Fareit, Score, ai score=85, kcloud, Wacatac, Artemis, Outbreak, susgen, ENEX, ZelphiCO, ZGW@auBrKeki, confidence)
md5	e6ed552b84d437e90031f9fc3d41b62a
sha256	fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3
ssdeep	12288:UW/TXFjs7ss0L1gFV5qNri5CQBznMjFJHQndtXUhF0dh0MgsLmP:UW/DZs7qgPRVVnWwJdhatP
imphash	c54a51ade970b440d47c550557ef97c5
impfuzzy	192:33P58k1QjmAbuuArSUvK9RBoaqyKeSPOQXuDRd:33d1yAA9IzPOQedd

Network IP location

Signature (21cnts)

Level	Description
warning	File has been identified by 26 AntiVirus engines on VirusTotal as malicious
watch	Allocates execute permission to another process indicative of possible code injection
watch	Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
watch	Installs itself for autorun at Windows startup
watch	Manipulates memory of a non-child process indicative of process injection
watch	Network activity contains more than one unique useragent
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Command line console output was observed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The executable uses a known packer

Rules (40cnts)

Level	Name	Description	Collection
watch	Admin_Tool_IN_Zero	Admin Tool Sysinternals	binaries (download)
watch	Admin_Tool_IN_Zero	Admin Tool Sysinternals	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Network_Downloader	File Downloader	memory
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	win_hook	Affect hook table	memory

Network (7cnts) ?

Request	ASN Co	IP4	ZERO ?
https://apwoqw.sn.files.1drv.com/y4mzJ_o-QT3s9l6T9nPYpPZaAIli0HjF2u-yV90Ep0j9sUw4d4AC3WMJF-OM-e4LDZfK_gHXQz-7rW9aUF9wWN9ocRuUBJnOJUhaJpnrvi99K5q63LiHnE-C3aVvYQlagO8yYkqMQ5hGOvRFQrgIRCLIciuGM5xuXo1KkUMW24XNJSgTWUSb-ApWVb0FW9kvFli9ei14VOJoLsJ85KxubDk1w/Xoyd whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
https://apwoqw.sn.files.1drv.com/y4mSrGGVAPntb6QS1Pv0RM3aho-_3OvJ-xqz1r95_NP83E2s01BBsRKVp-fLaBE0NLAcHXFBDhbKS2Gitb_mLr08uiPYAQn3NBCHX8juozPNFKaAPySwap_2bH54MrvWS3DmbksVxwRcs8C0isffy72XdljYKOYDYlFtpv097Dyek633SvvwILTbefHz1YdpqruKOYuC1nDAOuQ9FSnIEJqjA/Xoyd whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21110&authkey=AAUF6ri1a1Q3BDE whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	clean
apwoqw.sn.files.1drv.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	clean
onedrive.live.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	mailcious
13.107.42.13 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.13	mailcious
13.107.42.12 whois	MICROSOFT-CORP-MSN-AS-BLOCK	13.107.42.12	malware

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
0x4b6168 DeleteCriticalSection
0x4b616c LeaveCriticalSection
0x4b6170 EnterCriticalSection
0x4b6174 InitializeCriticalSection
0x4b6178 VirtualFree
0x4b617c VirtualAlloc
0x4b6180 LocalFree
0x4b6184 LocalAlloc
0x4b6188 GetTickCount
0x4b618c QueryPerformanceCounter
0x4b6190 GetVersion
0x4b6194 GetCurrentThreadId
0x4b6198 InterlockedDecrement
0x4b619c InterlockedIncrement
0x4b61a0 VirtualQuery
0x4b61a4 WideCharToMultiByte
0x4b61a8 MultiByteToWideChar
0x4b61ac lstrlenA
0x4b61b0 lstrcpynA
0x4b61b4 LoadLibraryExA
0x4b61b8 GetThreadLocale
0x4b61bc GetStartupInfoA
0x4b61c0 GetProcAddress
0x4b61c4 GetModuleHandleA
0x4b61c8 GetModuleFileNameA
0x4b61cc GetLocaleInfoA
0x4b61d0 GetCommandLineA
0x4b61d4 FreeLibrary
0x4b61d8 FindFirstFileA
0x4b61dc FindClose
0x4b61e0 ExitProcess
0x4b61e4 WriteFile
0x4b61e8 UnhandledExceptionFilter
0x4b61ec RtlUnwind
0x4b61f0 RaiseException
0x4b61f4 GetStdHandle
user32.dll
0x4b61fc GetKeyboardType
0x4b6200 LoadStringA
0x4b6204 MessageBoxA
0x4b6208 CharNextA
advapi32.dll
0x4b6210 RegQueryValueExA
0x4b6214 RegOpenKeyExA
0x4b6218 RegCloseKey
oleaut32.dll
0x4b6220 SysFreeString
0x4b6224 SysReAllocStringLen
0x4b6228 SysAllocStringLen
kernel32.dll
0x4b6230 TlsSetValue
0x4b6234 TlsGetValue
0x4b6238 LocalAlloc
0x4b623c GetModuleHandleA
advapi32.dll
0x4b6244 RegQueryValueExA
0x4b6248 RegOpenKeyExA
0x4b624c RegCloseKey
kernel32.dll
0x4b6254 lstrcpyA
0x4b6258 lstrcmpiA
0x4b625c WriteFile
0x4b6260 WaitForSingleObject
0x4b6264 VirtualQuery
0x4b6268 VirtualProtect
0x4b626c VirtualAlloc
0x4b6270 Sleep
0x4b6274 SizeofResource
0x4b6278 SetThreadLocale
0x4b627c SetFilePointer
0x4b6280 SetEvent
0x4b6284 SetErrorMode
0x4b6288 SetEndOfFile
0x4b628c ResetEvent
0x4b6290 ReadFile
0x4b6294 MultiByteToWideChar
0x4b6298 MulDiv
0x4b629c LockResource
0x4b62a0 LoadResource
0x4b62a4 LoadLibraryA
0x4b62a8 LeaveCriticalSection
0x4b62ac InitializeCriticalSection
0x4b62b0 GlobalUnlock
0x4b62b4 GlobalSize
0x4b62b8 GlobalReAlloc
0x4b62bc GlobalHandle
0x4b62c0 GlobalLock
0x4b62c4 GlobalFree
0x4b62c8 GlobalFindAtomA
0x4b62cc GlobalDeleteAtom
0x4b62d0 GlobalAlloc
0x4b62d4 GlobalAddAtomA
0x4b62d8 GetVersionExA
0x4b62dc GetVersion
0x4b62e0 GetUserDefaultLCID
0x4b62e4 GetTickCount
0x4b62e8 GetThreadLocale
0x4b62ec GetSystemInfo
0x4b62f0 GetStringTypeExA
0x4b62f4 GetStdHandle
0x4b62f8 GetProfileStringA
0x4b62fc GetProcAddress
0x4b6300 GetModuleHandleA
0x4b6304 GetModuleFileNameA
0x4b6308 GetLocaleInfoA
0x4b630c GetLocalTime
0x4b6310 GetLastError
0x4b6314 GetFullPathNameA
0x4b6318 GetDiskFreeSpaceA
0x4b631c GetDateFormatA
0x4b6320 GetCurrentThreadId
0x4b6324 GetCurrentProcessId
0x4b6328 GetCPInfo
0x4b632c GetACP
0x4b6330 FreeResource
0x4b6334 InterlockedExchange
0x4b6338 FreeLibrary
0x4b633c FormatMessageA
0x4b6340 FindResourceA
0x4b6344 EnumCalendarInfoA
0x4b6348 EnterCriticalSection
0x4b634c DeleteCriticalSection
0x4b6350 CreateThread
0x4b6354 CreateFileA
0x4b6358 CreateEventA
0x4b635c CompareStringA
0x4b6360 CloseHandle
version.dll
0x4b6368 VerQueryValueA
0x4b636c GetFileVersionInfoSizeA
0x4b6370 GetFileVersionInfoA
gdi32.dll
0x4b6378 UnrealizeObject
0x4b637c StretchBlt
0x4b6380 StartPage
0x4b6384 StartDocA
0x4b6388 SetWindowOrgEx
0x4b638c SetWinMetaFileBits
0x4b6390 SetViewportOrgEx
0x4b6394 SetTextColor
0x4b6398 SetStretchBltMode
0x4b639c SetROP2
0x4b63a0 SetPixel
0x4b63a4 SetMapMode
0x4b63a8 SetEnhMetaFileBits
0x4b63ac SetDIBColorTable
0x4b63b0 SetBrushOrgEx
0x4b63b4 SetBkMode
0x4b63b8 SetBkColor
0x4b63bc SetAbortProc
0x4b63c0 SelectPalette
0x4b63c4 SelectObject
0x4b63c8 SelectClipRgn
0x4b63cc SaveDC
0x4b63d0 RestoreDC
0x4b63d4 Rectangle
0x4b63d8 RectVisible
0x4b63dc RealizePalette
0x4b63e0 Polyline
0x4b63e4 PlayEnhMetaFile
0x4b63e8 PatBlt
0x4b63ec MoveToEx
0x4b63f0 MaskBlt
0x4b63f4 LineTo
0x4b63f8 IntersectClipRect
0x4b63fc GetWindowOrgEx
0x4b6400 GetWinMetaFileBits
0x4b6404 GetTextMetricsA
0x4b6408 GetTextExtentPoint32A
0x4b640c GetSystemPaletteEntries
0x4b6410 GetStockObject
0x4b6414 GetPixel
0x4b6418 GetPaletteEntries
0x4b641c GetObjectA
0x4b6420 GetEnhMetaFilePaletteEntries
0x4b6424 GetEnhMetaFileHeader
0x4b6428 GetEnhMetaFileDescriptionA
0x4b642c GetEnhMetaFileBits
0x4b6430 GetDeviceCaps
0x4b6434 GetDIBits
0x4b6438 GetDIBColorTable
0x4b643c GetDCOrgEx
0x4b6440 GetCurrentPositionEx
0x4b6444 GetClipBox
0x4b6448 GetBrushOrgEx
0x4b644c GetBitmapBits
0x4b6450 GdiFlush
0x4b6454 ExtTextOutA
0x4b6458 ExcludeClipRect
0x4b645c EndPage
0x4b6460 EndDoc
0x4b6464 DeleteObject
0x4b6468 DeleteEnhMetaFile
0x4b646c DeleteDC
0x4b6470 CreateSolidBrush
0x4b6474 CreatePenIndirect
0x4b6478 CreatePalette
0x4b647c CreateICA
0x4b6480 CreateHalftonePalette
0x4b6484 CreateFontIndirectA
0x4b6488 CreateEnhMetaFileA
0x4b648c CreateDIBitmap
0x4b6490 CreateDIBSection
0x4b6494 CreateDCA
0x4b6498 CreateCompatibleDC
0x4b649c CreateCompatibleBitmap
0x4b64a0 CreateBrushIndirect
0x4b64a4 CreateBitmap
0x4b64a8 CopyEnhMetaFileA
0x4b64ac CloseEnhMetaFile
0x4b64b0 BitBlt
user32.dll
0x4b64b8 CreateWindowExA
0x4b64bc WindowFromPoint
0x4b64c0 WinHelpA
0x4b64c4 WaitMessage
0x4b64c8 UpdateWindow
0x4b64cc UnregisterClassA
0x4b64d0 UnhookWindowsHookEx
0x4b64d4 TranslateMessage
0x4b64d8 TranslateMDISysAccel
0x4b64dc TrackPopupMenu
0x4b64e0 SystemParametersInfoA
0x4b64e4 ShowWindow
0x4b64e8 ShowScrollBar
0x4b64ec ShowOwnedPopups
0x4b64f0 ShowCursor
0x4b64f4 SetWindowsHookExA
0x4b64f8 SetWindowTextA
0x4b64fc SetWindowPos
0x4b6500 SetWindowPlacement
0x4b6504 SetWindowLongA
0x4b6508 SetTimer
0x4b650c SetScrollRange
0x4b6510 SetScrollPos
0x4b6514 SetScrollInfo
0x4b6518 SetRect
0x4b651c SetPropA
0x4b6520 SetParent
0x4b6524 SetMenuItemInfoA
0x4b6528 SetMenu
0x4b652c SetForegroundWindow
0x4b6530 SetFocus
0x4b6534 SetCursor
0x4b6538 SetClassLongA
0x4b653c SetCapture
0x4b6540 SetActiveWindow
0x4b6544 SendMessageA
0x4b6548 ScrollWindow
0x4b654c ScreenToClient
0x4b6550 RemovePropA
0x4b6554 RemoveMenu
0x4b6558 ReleaseDC
0x4b655c ReleaseCapture
0x4b6560 RegisterWindowMessageA
0x4b6564 RegisterClipboardFormatA
0x4b6568 RegisterClassA
0x4b656c RedrawWindow
0x4b6570 PtInRect
0x4b6574 PostQuitMessage
0x4b6578 PostMessageA
0x4b657c PeekMessageA
0x4b6580 OffsetRect
0x4b6584 OemToCharA
0x4b6588 MessageBoxA
0x4b658c MapWindowPoints
0x4b6590 MapVirtualKeyA
0x4b6594 LoadStringA
0x4b6598 LoadKeyboardLayoutA
0x4b659c LoadIconA
0x4b65a0 LoadCursorA
0x4b65a4 LoadBitmapA
0x4b65a8 KillTimer
0x4b65ac IsZoomed
0x4b65b0 IsWindowVisible
0x4b65b4 IsWindowEnabled
0x4b65b8 IsWindow
0x4b65bc IsRectEmpty
0x4b65c0 IsIconic
0x4b65c4 IsDialogMessageA
0x4b65c8 IsChild
0x4b65cc InvalidateRect
0x4b65d0 IntersectRect
0x4b65d4 InsertMenuItemA
0x4b65d8 InsertMenuA
0x4b65dc InflateRect
0x4b65e0 GetWindowThreadProcessId
0x4b65e4 GetWindowTextA
0x4b65e8 GetWindowRect
0x4b65ec GetWindowPlacement
0x4b65f0 GetWindowLongA
0x4b65f4 GetWindowDC
0x4b65f8 GetUpdateRect
0x4b65fc GetTopWindow
0x4b6600 GetSystemMetrics
0x4b6604 GetSystemMenu
0x4b6608 GetSysColorBrush
0x4b660c GetSysColor
0x4b6610 GetSubMenu
0x4b6614 GetScrollRange
0x4b6618 GetScrollPos
0x4b661c GetScrollInfo
0x4b6620 GetPropA
0x4b6624 GetParent
0x4b6628 GetWindow
0x4b662c GetMessageTime
0x4b6630 GetMenuStringA
0x4b6634 GetMenuState
0x4b6638 GetMenuItemInfoA
0x4b663c GetMenuItemID
0x4b6640 GetMenuItemCount
0x4b6644 GetMenu
0x4b6648 GetLastActivePopup
0x4b664c GetKeyboardState
0x4b6650 GetKeyboardLayoutList
0x4b6654 GetKeyboardLayout
0x4b6658 GetKeyState
0x4b665c GetKeyNameTextA
0x4b6660 GetIconInfo
0x4b6664 GetForegroundWindow
0x4b6668 GetFocus
0x4b666c GetDlgItem
0x4b6670 GetDesktopWindow
0x4b6674 GetDCEx
0x4b6678 GetDC
0x4b667c GetCursorPos
0x4b6680 GetCursor
0x4b6684 GetClipboardData
0x4b6688 GetClientRect
0x4b668c GetClassNameA
0x4b6690 GetClassInfoA
0x4b6694 GetCapture
0x4b6698 GetActiveWindow
0x4b669c FrameRect
0x4b66a0 FindWindowA
0x4b66a4 FillRect
0x4b66a8 EqualRect
0x4b66ac EnumWindows
0x4b66b0 EnumThreadWindows
0x4b66b4 EndPaint
0x4b66b8 EnableWindow
0x4b66bc EnableScrollBar
0x4b66c0 EnableMenuItem
0x4b66c4 DrawTextA
0x4b66c8 DrawMenuBar
0x4b66cc DrawIconEx
0x4b66d0 DrawIcon
0x4b66d4 DrawFrameControl
0x4b66d8 DrawFocusRect
0x4b66dc DrawEdge
0x4b66e0 DispatchMessageA
0x4b66e4 DestroyWindow
0x4b66e8 DestroyMenu
0x4b66ec DestroyIcon
0x4b66f0 DestroyCursor
0x4b66f4 DeleteMenu
0x4b66f8 DefWindowProcA
0x4b66fc DefMDIChildProcA
0x4b6700 DefFrameProcA
0x4b6704 CreatePopupMenu
0x4b6708 CreateMenu
0x4b670c CreateIcon
0x4b6710 ClientToScreen
0x4b6714 CheckMenuItem
0x4b6718 CallWindowProcA
0x4b671c CallNextHookEx
0x4b6720 BeginPaint
0x4b6724 CharNextA
0x4b6728 CharLowerBuffA
0x4b672c CharLowerA
0x4b6730 CharToOemA
0x4b6734 AdjustWindowRectEx
0x4b6738 ActivateKeyboardLayout
kernel32.dll
0x4b6740 Sleep
oleaut32.dll
0x4b6748 SafeArrayPtrOfIndex
0x4b674c SafeArrayGetUBound
0x4b6750 SafeArrayGetLBound
0x4b6754 SafeArrayCreate
0x4b6758 VariantChangeType
0x4b675c VariantCopy
0x4b6760 VariantClear
0x4b6764 VariantInit
ole32.dll
0x4b676c CreateStreamOnHGlobal
0x4b6770 IsAccelerator
0x4b6774 OleDraw
0x4b6778 OleSetMenuDescriptor
0x4b677c CoCreateInstance
0x4b6780 CoGetClassObject
0x4b6784 CoUninitialize
0x4b6788 CoInitialize
0x4b678c IsEqualGUID
oleaut32.dll
0x4b6794 GetErrorInfo
0x4b6798 SysFreeString
comctl32.dll
0x4b67a0 ImageList_SetIconSize
0x4b67a4 ImageList_GetIconSize
0x4b67a8 ImageList_Write
0x4b67ac ImageList_Read
0x4b67b0 ImageList_GetDragImage
0x4b67b4 ImageList_DragShowNolock
0x4b67b8 ImageList_SetDragCursorImage
0x4b67bc ImageList_DragMove
0x4b67c0 ImageList_DragLeave
0x4b67c4 ImageList_DragEnter
0x4b67c8 ImageList_EndDrag
0x4b67cc ImageList_BeginDrag
0x4b67d0 ImageList_Remove
0x4b67d4 ImageList_DrawEx
0x4b67d8 ImageList_Replace
0x4b67dc ImageList_Draw
0x4b67e0 ImageList_GetBkColor
0x4b67e4 ImageList_SetBkColor
0x4b67e8 ImageList_ReplaceIcon
0x4b67ec ImageList_Add
0x4b67f0 ImageList_SetImageCount
0x4b67f4 ImageList_GetImageCount
0x4b67f8 ImageList_Destroy
0x4b67fc ImageList_Create
0x4b6800 InitCommonControls
winspool.drv
0x4b6808 OpenPrinterA
0x4b680c EnumPrintersA
0x4b6810 DocumentPropertiesA
0x4b6814 ClosePrinter
comdlg32.dll
0x4b681c ChooseColorA
0x4b6820 GetOpenFileNameA

EAT(Export Address Table) is none

Report - clip.exe

Signature (21cnts)

Rules (40cnts)

Network (7cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure