Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.10.07 18:23	Machine	s1_win7_x6401
Filename	Sharefolder.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	2	Behavior Score	12.8
ZERO API	file : clean
VT API (file)	24 detected (AIDetect, malware2, malicious, high confidence, DealAlpha, multiple detections, Passteal, Chebka, FileRepMalware, Dyhb, GenericKD, Generic ML PUA, AGEN, ai score=83, Phonzy, Static AI, Suspicious PE)
md5	168f3e8c4657a0fe90a2338f3971f6ed
sha256	4516c9c0ddb065499deebd838a540453791e16aced69440affd2fae31c089262
ssdeep	6144:d/QiQXCLg5m+ksmpk3U9j0I0KsoxvjFEOTb9WmZX/8shzdsY4CpHPhnC1B2Dxk:VQi3Uc6m6UR0IXp1hf39Wkv8xwJHK
imphash	884310b1928934402ea6fec1dbd3cf5e
impfuzzy	48:8cfp1rcQX0gebPCDr+ZbldH9AOZGwt+Eu55T/lGB:8cfpdcqNebqDrmrHW2

Network IP location

Signature (30cnts)

Level	Description
warning	File has been identified by 24 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Deletes executed files from disk
watch	Installs itself for autorun at Windows startup
watch	Looks for the Windows Idle Time to determine the uptime
watch	Network activity contains more than one unique useragent
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process attempted to delay the analysis task.
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process sharefolder.tmp
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (25cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	JPEG_Format_Zero	JPEG Format	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (download)

Network (38cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://safialinks.com/Widgets/FolderShare.exe whois	ACP	162.0.214.42		malware
http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/Elmet7adi/Hand_conductor.exe whois	ACP	162.0.214.42		clean
http://apps.identrust.com/roots/dstrootcax3.p7c whois	AMAZON-02	52.216.86.146		clean
http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/BestCPM/Soft_Manager_Cpm.exe whois	ACP	162.0.214.42		malware
http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/NetworkStreamer/UpdateStream_Provider.exe whois	ACP	162.0.214.42		clean
http://safialinks.com/Installer_Provider/ShareFolder.exe whois	ACP	162.0.214.42		malware
http://requestimedout.com/xenocrates/zoroaster whois	NAMECHEAP-NET	162.255.117.78		clean
http://www.google.com/ whois	GOOGLE	172.217.175.4		clean
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_installrox2_BumperWw whois	ACP	162.0.210.44		clean
https://connectini.net/Series/publisher/1/KR.json whois	ACP	162.0.210.44		mailcious
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_adxpertmedia_advancedmanager whois	ACP	162.0.210.44		clean
https://connectini.net/Series/kenpachi/2/goodchannel/KR.json whois	ACP	162.0.210.44	1972	mailcious
https://connectini.net/Series/Conumer4Publisher.php whois	ACP	162.0.210.44	1976	mailcious
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_lylal_piyyyyWW whois	ACP	162.0.210.44		clean
https://connectini.net/ip/check.php?duplicate=kenpachi2_registry_goodchannel_slava_inlogsoftware whois	ACP	162.0.210.44		clean
https://connectini.net/Series/SuperNitou.php whois	ACP	162.0.210.44	1975	mailcious
https://connectini.net/Series/configPoduct/2/goodchannel.json whois	ACP	162.0.210.44	1973	mailcious
https://connectini.net/Series/Conumer2kenpachi.php whois	ACP	162.0.210.44	1974	mailcious
requestimedout.com whois	NAMECHEAP-NET	162.255.117.78		clean
storewebitems.tech whois	Alexhost Srl	5.182.39.146		clean
i.spesgrt.com whois	CLOUDFLARENET	172.67.153.179		malware
safialinks.com whois	ACP	162.0.214.42		malware
google.com whois	GOOGLE	216.58.220.110		clean
source3.boys4dayz.com whois	CLOUDFLARENET	104.21.33.188		clean
connectini.net whois	ACP	162.0.210.44		mailcious
www.profitabletrustednetwork.com whois	DataWeb Global Group B.V.	192.243.59.12		mailcious
apps.identrust.com whois	AMAZON-02	52.216.176.194		clean
www.google.com whois	GOOGLE	172.217.175.4		clean
fscloud.su whois	CLOUDFLARENET	104.21.47.231		clean
142.250.204.36 whois	GOOGLE	142.250.204.36		clean
162.0.214.42 whois	ACP	162.0.214.42		phishing
194.145.227.159 whois		194.145.227.159		mailcious
162.0.210.44 whois	ACP	162.0.210.44		mailcious
52.217.161.205 whois		52.217.161.205		clean
52.217.201.37 whois		52.217.201.37		clean
192.243.59.13 whois	DataWeb Global Group B.V.	192.243.59.13		clean
142.250.66.46 whois	GOOGLE	142.250.66.46		mailcious
162.255.117.78 whois	NAMECHEAP-NET	162.255.117.78		clean

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
0x40d0b4 DeleteCriticalSection
0x40d0b8 LeaveCriticalSection
0x40d0bc EnterCriticalSection
0x40d0c0 InitializeCriticalSection
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
user32.dll
0x40d128 MessageBoxA
oleaut32.dll
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopyInd
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
advapi32.dll
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
0x40d158 LookupPrivilegeValueA
kernel32.dll
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a4 GetWindowsDirectoryA
0x40d1a8 GetVersionExA
0x40d1ac GetUserDefaultLangID
0x40d1b0 GetSystemInfo
0x40d1b4 GetSystemDefaultLCID
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1dc GetEnvironmentVariableA
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
user32.dll
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d21c MsgWaitForMultipleObjects
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
comctl32.dll
0x40d244 InitCommonControls
advapi32.dll
0x40d24c AdjustTokenPrivileges

EAT(Export Address Table) is none

Report - Sharefolder.exe

Signature (30cnts)

Rules (25cnts)

Network (38cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure