Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.13 18:17	Machine	s1_win7_x6402
Filename	Stub.exe
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
AI Score	2	Behavior Score	11.0
ZERO API	file : malware
VT API (file)	37 detected (AIDetect, malware2, FakeAlert, malicious, high confidence, Artemis, Unsafe, Attribute, HighConfidence, LightStone, FileRepMalware, Generic@ML, RDML, F0ARTZ0bH0HjhIj0r7A, ZPACK, VirRansom, kcloud, Sabsik, score, R441007, ai score=84, BScope, Nitol, Tiny)
md5	3c4359296c65223a5b7acfc76e1f4ecd
sha256	329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
ssdeep	49152:bFRDWwEWVp4vzk90GOSmtQ964qvERH4EZQnghXm6ehrC50omulZQ1RKN24dIcxu3:BcwEWPUzu0CgQHiERH47ghXsW0oeCG
imphash	2a2a662be9dffc461398e7c94d0b55b4
impfuzzy	6:HbJq4wX0pyYJxSBS0H5sD4sIW0oFUAliPEcn:7Jq4wMY58xaPXn

Network IP location

Signature (26cnts)

Level	Description
danger	File has been identified by 37 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Installs itself for autorun at Windows startup
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername

Rules (40cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Network_Downloader	File Downloader	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	win_hook	Affect hook table	memory
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (download)

Network (4cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://62.109.1.30/triggers/vm_.php?IKJqpgOhe1yQhF6FuKf8qX6kg3Tm7=z7&IE=4VZ5NRqL9s1riviBamOvNiJwNmjeB1&e8f6de43394a8e2ef93b201a0d2ec922=c0280c4c3f572aabfa038560a3f515da&65ab24948c084368808c084126a043f5=QNkZTNzcDOwMWM5QGM4YzMyQmY2MGZmV2MmdDOjN2MiF2M5gDM2MG whois	JSC The First	62.109.1.30	3585	mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
62.109.1.30 whois	JSC The First	62.109.1.30		mailcious
34.117.59.81 whois	GOOGLE	34.117.59.81		clean

Suricata ids

PE API

IAT(Import Address Table) Library

msvcrt.dll
0x79ab5c strlen
0x79ab60 malloc
0x79ab64 fopen
0x79ab68 fwrite
0x79ab6c fclose
0x79ab70 memset
0x79ab74 getenv
0x79ab78 sprintf
0x79ab7c __argc
0x79ab80 __argv
0x79ab84 _environ
0x79ab88 _XcptFilter
0x79ab8c __set_app_type
0x79ab90 _controlfp
0x79ab94 __getmainargs
0x79ab98 exit
kernel32.dll
0x79aba0 CreateProcessA
0x79aba4 CloseHandle
0x79aba8 SetUnhandledExceptionFilter

EAT(Export Address Table) is none

Report - Stub.exe

Signature (26cnts)

Rules (40cnts)

Network (4cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure