Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.11.05 09:31	Machine	s1_win7_x6401
Filename	9801_1635938030_9423.exe
Type	MS-DOS executable, MZ for MS-DOS
AI Score	4	Behavior Score	14.6
ZERO API	file : clean
VT API (file)	31 detected (AIDetect, malware2, Racealer, Jaik, Unsafe, malicious, confidence, Attribute, HighConfidence, GenCBL, Artemis, R + Mal, EncPk, ai score=89, PSWTroj, kcloud, AzorUlt, Phonzy)
md5	a26c091f560286c77dc695818846a27e
sha256	18bf017bdd74e8e8f5db5a4dd7ec3409021c7b0d2f125f05d728f3b740132015
ssdeep	98304:tVHcyjffTYM6jPFhCfKrGzAs29VXD56hsI+LmjPlo4SBd+1uz9QYR2:tVHZrfY1LVXMsjmjPaTPi+2
imphash	c78a0fcf42332cbdf64de6b70bfc435b
impfuzzy	6:nERGDfAGL6QWvEKFAUKXPMKobGeSc9Q3c2AxyTO6LO7dplYWYE+cEWzj86zAn:EcDfA21rK5KjHN3c2A+O6LOTlYKr8KAn

Network IP location

Signature (33cnts)

Level	Description
danger	File has been identified by 31 AntiVirus engines on VirusTotal as malicious
watch	A potential heapspray has been detected. 91 megabytes was sprayed onto the heap of the OQxtPfFqST.exe process
watch	Attempts to access Bitcoin/ALTCoin wallets
watch	Checks for the presence of known windows from debuggers and forensic tools
watch	Checks the version of Bios
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
watch	Detects Virtual Machines through their custom firmware
watch	Detects VirtualBox through the presence of a registry key
watch	Detects VMWare through the in instruction feature
watch	Drops a binary and executes it
watch	Harvests credentials from local email clients
watch	One or more of the buffers contains an embedded PE file
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	Expresses interest in specific running processes
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries for potentially installed applications
notice	Sends data using the HTTP POST Method
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer
info	Tries to locate where the browsers are installed

Rules (19cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	ASPack_Zero	ASPack packed file	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	MPRESS_Zero	MPRESS packed file	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
watch	Win32_Trojan_PWS_Net_1_Zero	Win32 Trojan PWS .NET Azorult	binaries (download)
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	Win32_Trojan_Gen_2_0904B0_Zero	Win32 Trojan Gen	binaries (download)
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (download)

Network (11cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/70fba09628631dc7968147158bcd96dd2a63758b whois	ServerAstra Kft.	91.219.236.97	7282	clean
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/3f01e0ee7d7616e1a5b10f5e09c686af287a09ab whois	ServerAstra Kft.	91.219.236.97	7282	clean
http://teleliver.top/mixmorty14 whois	CLOUDFLARENET	172.67.136.46		clean
http://91.219.236.97/ whois	ServerAstra Kft.	91.219.236.97	7282	clean
https://cdn.discordapp.com/attachments/899705176418578565/905408828730900501/malik_2.0.exe whois		162.159.129.233		clean
https://cdn.discordapp.com/attachments/896848939771367444/900335715949363280/Antesternal.exe whois		162.159.129.233		clean
teleliver.top whois	CLOUDFLARENET	172.67.136.46		clean
cdn.discordapp.com whois		162.159.130.233		malware
91.219.236.97 whois	ServerAstra Kft.	91.219.236.97		clean
162.159.129.233 whois		162.159.129.233		malware
104.21.62.135 whois	CLOUDFLARENET	104.21.62.135		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0xb25118 GetModuleHandleA
0xb2511c GetProcAddress
USER32.dll
0xb25124 wsprintfA
GDI32.dll
0xb2512c BitBlt
ADVAPI32.dll
0xb25134 GetTokenInformation
SHELL32.dll
0xb2513c SHGetFolderPathA
ole32.dll
0xb25144 CoInitialize
USERENV.dll
0xb2514c GetUserProfileDirectoryA
ktmw32.dll
0xb25154 CreateTransaction
crypt.dll
0xb2515c BCryptDecrypt
CRYPT32.dll
0xb25164 CryptStringToBinaryA
SHLWAPI.dll
0xb2516c StrCmpNW
WINHTTP.dll
0xb25174 WinHttpConnect
gdiplus.dll
0xb2517c GdiplusStartup

EAT(Export Address Table) is none

Report - 9801_1635938030_9423.exe

Signature (33cnts)

Rules (19cnts)

Network (11cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure