Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.07 08:36	Machine	s1_win7_x6402
Filename	explorer.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	4	Behavior Score	17.2
ZERO API	file : malware
VT API (file)	45 detected (malicious, high confidence, Remcos, FTRG, Unsafe, Save, Attribute, HighConfidence, Rescoms, RATX, Gencirc, Generic ML PUA, Siggen14, halxu, Score, 100%, AGEN, ASMalwS, Invader, Bucaspys, RemcosRAT, R418128, ZexaF, BCW@aGglGK, ai score=80, BScope, CLASSIC, wQ4Wbnu, Static AI, Malicious PE, GdSda)
md5	754cae6c58cfb857c870d38ef49e2959
sha256	d1ba03fd533eb3834a4448172fc9f792ed54096f2718a84eebf719cb22d2fa1e
ssdeep	12288:9Ye6UWhaT5xnDdLv9rX+1jZJqxE/ZjEcyib:v6UWUT5xDN9IjZJsCZDyg
imphash	ec8ea73e2aa6f868311acc5b792bc222
impfuzzy	96:uSzHuXXLjp+1ZMTfiJSWIRfGLjFHQZKNUz7KgKd39aC5PwzS5:uVjqUWXlQdPiZkC50S5

Network IP location

Signature (31cnts)

Level	Description
danger	File has been identified by 45 AntiVirus engines on VirusTotal as malicious
danger	The process wscript.exe wrote an executable file to disk which it then attempted to execute
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger	Executed a process and injected code into it
warning	Disables Windows Security features
watch	Allocates execute permission to another process indicative of possible code injection
watch	Code injection by writing an executable or DLL to the memory of another process
watch	Communicates with host for which no DNS query was performed
watch	Created a process named as a common system process
watch	Expresses interest in specific running processes
watch	Installs itself for autorun at Windows startup
watch	Network communications indicative of possible code injection originated from the process explorer.exe
watch	One or more non-whitelisted processes were created
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	A process attempted to delay the analysis task.
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	One or more potentially interesting buffers were extracted
notice	Terminates another process
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Command line console output was observed
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (31cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
warning	infoStealer_browser_Zero	browser info stealer	memory
watch	Chrome_User_Data_Check_Zero	Google Chrome User Data Check	memory
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	Network_Downloader	File Downloader	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	Sniff_Audio	Record Audio	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	win_hook	Affect hook table	memory
info	Win_Trojan_agentTesla_Zero	Win.Trojan.agentTesla	memory

Network (2cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
107.180.56.180 whois		AS-26496-GO-DADDY-COM-LLC	107.180.56.180		malware
46.8.211.72 whois		Kontel LLC	46.8.211.72		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x4530b0 CreateToolhelp32Snapshot
0x4530b4 OpenMutexA
0x4530b8 Process32NextW
0x4530bc LoadLibraryA
0x4530c0 Process32FirstW
0x4530c4 GetProcAddress
0x4530c8 VirtualProtect
0x4530cc SetLastError
0x4530d0 VirtualFree
0x4530d4 VirtualAlloc
0x4530d8 GetNativeSystemInfo
0x4530dc HeapAlloc
0x4530e0 GetProcessHeap
0x4530e4 FreeLibrary
0x4530e8 IsBadReadPtr
0x4530ec GetTempPathW
0x4530f0 OpenProcess
0x4530f4 lstrcatW
0x4530f8 GetCurrentProcessId
0x4530fc GetTempFileNameW
0x453100 GetCurrentProcess
0x453104 GlobalAlloc
0x453108 GlobalLock
0x45310c GetTickCount
0x453110 GlobalUnlock
0x453114 WriteProcessMemory
0x453118 ResumeThread
0x45311c GetThreadContext
0x453120 VirtualAllocEx
0x453124 ReadProcessMemory
0x453128 CreateProcessW
0x45312c SetThreadContext
0x453130 LocalAlloc
0x453134 GlobalFree
0x453138 MulDiv
0x45313c SizeofResource
0x453140 GetLongPathNameW
0x453144 SetFilePointer
0x453148 FindResourceA
0x45314c LockResource
0x453150 LoadResource
0x453154 GetModuleFileNameA
0x453158 lstrcpynA
0x45315c AllocConsole
0x453160 QueryPerformanceFrequency
0x453164 QueryPerformanceCounter
0x453168 GetLocaleInfoA
0x45316c LeaveCriticalSection
0x453170 InitializeCriticalSection
0x453174 DeleteCriticalSection
0x453178 HeapSize
0x45317c WriteConsoleW
0x453180 SetStdHandle
0x453184 SetEnvironmentVariableW
0x453188 SetEnvironmentVariableA
0x45318c FreeEnvironmentStringsW
0x453190 GetEnvironmentStringsW
0x453194 GetCommandLineW
0x453198 GetCommandLineA
0x45319c GetOEMCP
0x4531a0 IsValidCodePage
0x4531a4 FindFirstFileExA
0x4531a8 ReadConsoleW
0x4531ac GetConsoleMode
0x4531b0 GetConsoleCP
0x4531b4 FlushFileBuffers
0x4531b8 GetFileType
0x4531bc GetTimeZoneInformation
0x4531c0 EnumSystemLocalesW
0x4531c4 GetUserDefaultLCID
0x4531c8 IsValidLocale
0x4531cc GetTimeFormatW
0x4531d0 GetDateFormatW
0x4531d4 HeapReAlloc
0x4531d8 GetACP
0x4531dc GetStdHandle
0x4531e0 GetModuleHandleExW
0x4531e4 MoveFileExW
0x4531e8 RtlUnwind
0x4531ec RaiseException
0x4531f0 LoadLibraryExW
0x4531f4 GetCPInfo
0x4531f8 GetStringTypeW
0x4531fc GetLocaleInfoW
0x453200 LCMapStringW
0x453204 CompareStringW
0x453208 TlsFree
0x45320c TlsSetValue
0x453210 CreateMutexA
0x453214 CopyFileW
0x453218 DeleteFileA
0x45321c ExpandEnvironmentStringsA
0x453220 FindNextFileA
0x453224 FindFirstFileA
0x453228 CreateDirectoryW
0x45322c GetFileSize
0x453230 TerminateThread
0x453234 GetLastError
0x453238 SetFileAttributesW
0x45323c GetModuleHandleA
0x453240 RemoveDirectoryW
0x453244 FindClose
0x453248 MoveFileW
0x45324c SetFilePointerEx
0x453250 GetLogicalDriveStringsA
0x453254 DeleteFileW
0x453258 GetFileAttributesW
0x45325c lstrlenA
0x453260 GetDriveTypeA
0x453264 FindNextFileW
0x453268 GetFileSizeEx
0x45326c FindFirstFileW
0x453270 ExitProcess
0x453274 CreateProcessA
0x453278 PeekNamedPipe
0x45327c CreatePipe
0x453280 TerminateProcess
0x453284 ReadFile
0x453288 HeapFree
0x45328c HeapCreate
0x453290 CreateEventA
0x453294 GetLocalTime
0x453298 CreateThread
0x45329c SetEvent
0x4532a0 WaitForSingleObject
0x4532a4 Sleep
0x4532a8 GetModuleFileNameW
0x4532ac CloseHandle
0x4532b0 ExitThread
0x4532b4 CreateFileW
0x4532b8 WriteFile
0x4532bc EnterCriticalSection
0x4532c0 TlsGetValue
0x4532c4 TlsAlloc
0x4532c8 InitializeCriticalSectionAndSpinCount
0x4532cc MultiByteToWideChar
0x4532d0 DecodePointer
0x4532d4 EncodePointer
0x4532d8 WideCharToMultiByte
0x4532dc InitializeSListHead
0x4532e0 GetSystemTimeAsFileTime
0x4532e4 GetCurrentThreadId
0x4532e8 IsProcessorFeaturePresent
0x4532ec GetStartupInfoW
0x4532f0 SetUnhandledExceptionFilter
0x4532f4 UnhandledExceptionFilter
0x4532f8 IsDebuggerPresent
0x4532fc GetModuleHandleW
0x453300 CreateEventW
0x453304 WaitForSingleObjectEx
0x453308 ResetEvent
0x45330c SetEndOfFile
USER32.dll
0x453338 SetForegroundWindow
0x45333c TranslateMessage
0x453340 DispatchMessageA
0x453344 GetMessageA
0x453348 GetWindowTextW
0x45334c wsprintfW
0x453350 GetClipboardData
0x453354 UnhookWindowsHookEx
0x453358 GetForegroundWindow
0x45335c ToUnicodeEx
0x453360 GetKeyboardLayout
0x453364 SetWindowsHookExA
0x453368 CloseClipboard
0x45336c GetWindowThreadProcessId
0x453370 GetKeyboardState
0x453374 CallNextHookEx
0x453378 SetClipboardData
0x45337c EnumWindows
0x453380 ExitWindowsEx
0x453384 EmptyClipboard
0x453388 ShowWindow
0x45338c SetWindowTextW
0x453390 MessageBoxW
0x453394 IsWindowVisible
0x453398 CloseWindow
0x45339c SendInput
0x4533a0 mouse_event
0x4533a4 GetWindowTextLengthW
0x4533a8 GetKeyState
0x4533ac OpenClipboard
0x4533b0 TrackPopupMenu
0x4533b4 DrawIcon
0x4533b8 GetSystemMetrics
0x4533bc GetIconInfo
0x4533c0 SystemParametersInfoW
0x4533c4 CreatePopupMenu
0x4533c8 GetCursorPos
0x4533cc DefWindowProcA
0x4533d0 CreateWindowExA
0x4533d4 AppendMenuA
0x4533d8 RegisterClassExA
0x4533dc GetKeyboardLayoutNameA
GDI32.dll
0x453088 CreateCompatibleBitmap
0x45308c SelectObject
0x453090 StretchBlt
0x453094 GetDIBits
0x453098 DeleteDC
0x45309c DeleteObject
0x4530a0 CreateDCA
0x4530a4 GetObjectA
0x4530a8 CreateCompatibleDC
ADVAPI32.dll
0x453000 CryptAcquireContextA
0x453004 CryptGenRandom
0x453008 CryptReleaseContext
0x45300c GetUserNameW
0x453010 RegEnumKeyExA
0x453014 QueryServiceStatus
0x453018 CloseServiceHandle
0x45301c OpenSCManagerW
0x453020 OpenSCManagerA
0x453024 ControlService
0x453028 StartServiceW
0x45302c QueryServiceConfigW
0x453030 ChangeServiceConfigW
0x453034 OpenServiceW
0x453038 EnumServicesStatusW
0x45303c AdjustTokenPrivileges
0x453040 LookupPrivilegeValueA
0x453044 OpenProcessToken
0x453048 RegCreateKeyA
0x45304c RegCloseKey
0x453050 RegQueryInfoKeyW
0x453054 RegQueryValueExA
0x453058 RegCreateKeyExW
0x45305c RegEnumKeyExW
0x453060 RegSetValueExW
0x453064 RegSetValueExA
0x453068 RegOpenKeyExA
0x45306c RegOpenKeyExW
0x453070 RegCreateKeyW
0x453074 RegDeleteValueW
0x453078 RegEnumValueW
0x45307c RegQueryValueExW
0x453080 RegDeleteKeyA
SHELL32.dll
0x453314 ShellExecuteW
0x453318 ShellExecuteExA
0x45331c Shell_NotifyIconA
0x453320 ExtractIconA
SHLWAPI.dll
0x453328 StrToIntA
0x45332c PathFileExistsA
0x453330 PathFileExistsW
WINMM.dll
0x4533e4 PlaySoundW
0x4533e8 mciSendStringA
0x4533ec mciSendStringW
0x4533f0 waveInClose
0x4533f4 waveInAddBuffer
0x4533f8 waveInStart
0x4533fc waveInOpen
0x453400 waveInUnprepareHeader
0x453404 waveInPrepareHeader
0x453408 waveInStop
WS2_32.dll
0x453410 closesocket
0x453414 WSAStartup
0x453418 send
0x45341c socket
0x453420 connect
0x453424 WSAGetLastError
0x453428 gethostbyname
0x45342c htons
0x453430 inet_ntoa
0x453434 recv
urlmon.dll
0x453468 URLDownloadToFileW
0x45346c URLOpenBlockingStreamW
gdiplus.dll
0x45343c GdiplusStartup
0x453440 GdipGetImageEncoders
0x453444 GdipCloneImage
0x453448 GdipAlloc
0x45344c GdipDisposeImage
0x453450 GdipFree
0x453454 GdipGetImageEncodersSize
0x453458 GdipSaveImageToStream
0x45345c GdipSaveImageToFile
0x453460 GdipLoadImageFromStream

EAT(Export Address Table) is none

Report - explorer.exe

Signature (31cnts)

Rules (31cnts)

Network (2cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure