Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.09.27 08:22	Machine	s1_win7_x6401
Filename	askinstall58.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	1	Behavior Score	11.4
ZERO API	file : malware
VT API (file)	49 detected (AIDetect, malware2, malicious, high confidence, Zusy, Artemis, Unsafe, Save, Socelars, confidence, 100%, MZTE, Attribute, HighConfidence, Razy, PWSX, R + Troj, BGVO, Siggen15, AGEN, ai score=85, kcloud, score, ZexaF, B10@aGOJD6nj, BScope, Agentb, Glupteba, Bruteforce, FBAdsCard, CLASSIC, AWmumnOGbA8, Static AI, Malicious PE, Genetic)
md5	0c9f30771449c16fb45f722fa354d370
sha256	daf825a245dd875995197cc21c046802f79207dfa2272bc5410fd6f2b64afc9a
ssdeep	24576:LXplaOVPWLi74ICMr9NtpKQdIONN9TjUrn+XBS4ofauqryK5:rpB6uyuna+XBS4Vuq+K5
imphash	59f812c1d4d41f3b7cfc5e403c7c9aea
impfuzzy	96:/XAFup4sMIOtz0LEsQJcGtp43ta73grmxOP:InyGEta7Qr

Network IP location

Signature (29cnts)

Level	Description
danger	File has been identified by 49 AntiVirus engines on VirusTotal as malicious
watch	Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic)
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Executes one or more WMI queries
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Queries for potentially installed applications
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
notice	Terminates another process
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path
info	Tries to locate where the browsers are installed

Rules (55cnts)

Level	Name	Description	Collection
danger	NPKI_Zero	File included NPKI	binaries (download)
danger	Trojan_PWS_Stealer_1_Zero	Trojan.PWS.Stealer Zero	binaries (upload)
warning	Credential_User_Data_Check_Zero	Credential User Data Check	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	Network_Downloader	File Downloader	memory
watch	SQLite_cookies_Check_Zero	SQLite Cookie Check... select	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
notice	anti_vm_detect	Possibly employs anti-virtualization techniques	binaries (download)
notice	BitCoin	Perform crypto currency mining	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	Persistence	Install itself for autorun at Windows startup	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsDLL	(no description)	binaries (download)
info	IsELF	Executable and Linking Format executable file (Linux/Unix)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	Virtual_currency_Zero	Virtual currency	memory
info	vmdetect	Possibly employs anti-virtualization techniques	memory
info	win_hook	Affect hook table	memory
info	Win32_Trojan_Gen_2_0904B0_Zero	Win32 Trojan Gen	binaries (upload)

Network (12cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://www.iyiqian.com/ whois		103.155.92.58	2326	mailcious
http://www.khcyysy.com/Home/Index/lkdinl whois	TimeWeb Ltd.	188.225.87.175	5488	mailcious
https://iplogger.org/14Jup7 whois	Hetzner Online GmbH	88.99.66.31		clean
https://www.listincode.com/ whois	AS-CHOOPA	144.202.76.47	2327	mailcious
www.listincode.com whois	AS-CHOOPA	144.202.76.47		mailcious
iplogger.org whois	Hetzner Online GmbH	88.99.66.31		mailcious
www.iyiqian.com whois		103.155.92.58		mailcious
www.khcyysy.com whois	TimeWeb Ltd.	188.225.87.175		mailcious
103.155.92.58 whois		103.155.92.58		mailcious
88.99.66.31 whois	Hetzner Online GmbH	88.99.66.31		mailcious
144.202.76.47 whois	AS-CHOOPA	144.202.76.47		mailcious
188.225.87.175 whois	TimeWeb Ltd.	188.225.87.175		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x51f050 LocalAlloc
0x51f054 LocalFree
0x51f058 WinExec
0x51f05c GetComputerNameW
0x51f060 GetModuleFileNameA
0x51f064 GetCurrentProcessId
0x51f068 OpenProcess
0x51f06c GetModuleFileNameW
0x51f070 SetLastError
0x51f074 GetCurrentThread
0x51f078 FindResourceW
0x51f07c GetPrivateProfileStringW
0x51f080 CopyFileW
0x51f084 SetStdHandle
0x51f088 SetEnvironmentVariableW
0x51f08c FreeEnvironmentStringsW
0x51f090 GetEnvironmentStringsW
0x51f094 GetOEMCP
0x51f098 SizeofResource
0x51f09c CreateProcessA
0x51f0a0 LockResource
0x51f0a4 LoadResource
0x51f0a8 FreeLibrary
0x51f0ac GetTickCount
0x51f0b0 TerminateProcess
0x51f0b4 Sleep
0x51f0b8 WaitForSingleObject
0x51f0bc GetProcessHeap
0x51f0c0 HeapAlloc
0x51f0c4 GetLastError
0x51f0c8 GetTempPathA
0x51f0cc CreateDirectoryA
0x51f0d0 SetCurrentDirectoryW
0x51f0d4 GetShortPathNameA
0x51f0d8 LoadLibraryW
0x51f0dc GetProcAddress
0x51f0e0 WideCharToMultiByte
0x51f0e4 MultiByteToWideChar
0x51f0e8 SystemTimeToFileTime
0x51f0ec DosDateTimeToFileTime
0x51f0f0 GetCurrentProcess
0x51f0f4 DuplicateHandle
0x51f0f8 CloseHandle
0x51f0fc WriteFile
0x51f100 SetFileTime
0x51f104 SetFilePointer
0x51f108 ReadFile
0x51f10c GetFileType
0x51f110 CreateFileW
0x51f114 CreateDirectoryW
0x51f118 CreateEventW
0x51f11c GetCurrentDirectoryW
0x51f120 GetACP
0x51f124 IsValidCodePage
0x51f128 FindNextFileW
0x51f12c FindFirstFileExW
0x51f130 FindClose
0x51f134 GetTimeZoneInformation
0x51f138 GetFileSizeEx
0x51f13c GetConsoleOutputCP
0x51f140 SetFilePointerEx
0x51f144 ReadConsoleW
0x51f148 GetConsoleMode
0x51f14c EnumSystemLocalesW
0x51f150 GetUserDefaultLCID
0x51f154 IsValidLocale
0x51f158 GetLocaleInfoW
0x51f15c LCMapStringW
0x51f160 CompareStringW
0x51f164 GetCommandLineW
0x51f168 GetCommandLineA
0x51f16c GetStdHandle
0x51f170 ExitProcess
0x51f174 GetModuleHandleExW
0x51f178 FreeLibraryAndExitThread
0x51f17c ExitThread
0x51f180 CreateThread
0x51f184 LoadLibraryExW
0x51f188 TlsFree
0x51f18c TlsSetValue
0x51f190 TlsGetValue
0x51f194 TlsAlloc
0x51f198 RtlUnwind
0x51f19c RaiseException
0x51f1a0 GetStringTypeW
0x51f1a4 WriteConsoleW
0x51f1a8 GetCPInfo
0x51f1ac CompareStringEx
0x51f1b0 LCMapStringEx
0x51f1b4 DecodePointer
0x51f1b8 EncodePointer
0x51f1bc InitializeCriticalSectionEx
0x51f1c0 InitializeSListHead
0x51f1c4 GetStartupInfoW
0x51f1c8 IsDebuggerPresent
0x51f1cc GetModuleHandleW
0x51f1d0 ResetEvent
0x51f1d4 SetEvent
0x51f1d8 InitializeCriticalSectionAndSpinCount
0x51f1dc IsProcessorFeaturePresent
0x51f1e0 SetUnhandledExceptionFilter
0x51f1e4 UnhandledExceptionFilter
0x51f1e8 FlushFileBuffers
0x51f1ec QueryPerformanceCounter
0x51f1f0 MapViewOfFile
0x51f1f4 CreateFileMappingW
0x51f1f8 AreFileApisANSI
0x51f1fc TryEnterCriticalSection
0x51f200 HeapCreate
0x51f204 HeapFree
0x51f208 EnterCriticalSection
0x51f20c GetFullPathNameW
0x51f210 GetDiskFreeSpaceW
0x51f214 OutputDebugStringA
0x51f218 LockFile
0x51f21c LeaveCriticalSection
0x51f220 InitializeCriticalSection
0x51f224 GetFullPathNameA
0x51f228 SetEndOfFile
0x51f22c UnlockFileEx
0x51f230 GetTempPathW
0x51f234 CreateMutexW
0x51f238 GetFileAttributesW
0x51f23c GetCurrentThreadId
0x51f240 UnmapViewOfFile
0x51f244 HeapValidate
0x51f248 HeapSize
0x51f24c FormatMessageW
0x51f250 GetDiskFreeSpaceA
0x51f254 GetFileAttributesA
0x51f258 GetFileAttributesExW
0x51f25c OutputDebugStringW
0x51f260 FlushViewOfFile
0x51f264 CreateFileA
0x51f268 LoadLibraryA
0x51f26c WaitForSingleObjectEx
0x51f270 DeleteFileA
0x51f274 DeleteFileW
0x51f278 HeapReAlloc
0x51f27c GetSystemInfo
0x51f280 HeapCompact
0x51f284 HeapDestroy
0x51f288 UnlockFile
0x51f28c LockFileEx
0x51f290 GetFileSize
0x51f294 DeleteCriticalSection
0x51f298 GetSystemTimeAsFileTime
0x51f29c GetSystemTime
0x51f2a0 FormatMessageA
ADVAPI32.dll
0x51f000 LookupPrivilegeValueW
0x51f004 AdjustTokenPrivileges
0x51f008 LookupAccountNameW
0x51f00c SetSecurityDescriptorOwner
0x51f010 SetSecurityDescriptorGroup
0x51f014 SetSecurityDescriptorDacl
0x51f018 IsValidSecurityDescriptor
0x51f01c InitializeSecurityDescriptor
0x51f020 InitializeAcl
0x51f024 GetTokenInformation
0x51f028 GetLengthSid
0x51f02c FreeSid
0x51f030 EqualSid
0x51f034 DuplicateToken
0x51f038 AllocateAndInitializeSid
0x51f03c AddAccessAllowedAce
0x51f040 AccessCheck
0x51f044 OpenThreadToken
0x51f048 OpenProcessToken
SHELL32.dll
0x51f2b0 ShellExecuteExA
ole32.dll
0x51f304 CoInitializeEx
0x51f308 CoGetObject
0x51f30c CoUninitialize
WININET.dll
0x51f2b8 InternetGetCookieExA
NETAPI32.dll
0x51f2a8 Netbios
ntdll.dll
0x51f2c0 RtlInitUnicodeString
0x51f2c4 NtFreeVirtualMemory
0x51f2c8 LdrEnumerateLoadedModules
0x51f2cc RtlEqualUnicodeString
0x51f2d0 RtlAcquirePebLock
0x51f2d4 NtAllocateVirtualMemory
0x51f2d8 RtlReleasePebLock
0x51f2dc RtlNtStatusToDosError
0x51f2e0 RtlCreateHeap
0x51f2e4 RtlDestroyHeap
0x51f2e8 RtlAllocateHeap
0x51f2ec NtClose
0x51f2f0 NtOpenKey
0x51f2f4 NtEnumerateValueKey
0x51f2f8 NtQueryValueKey
0x51f2fc RtlFreeHeap

EAT(Export Address Table) is none

Report - askinstall58.exe

Signature (29cnts)

Rules (55cnts)

Network (12cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure