Report - ZeroBOX

ScreenShot

Info
Location map


Created	2022.12.13 10:06	Machine	s1_win7_x6401
Filename	mp3studios_95.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	9	Behavior Score	10.6
ZERO API	file : malware
VT API (file)	53 detected (malicious, moderate confidence, GenericKDZ, GenericRI, S28526880, GenericRXAA, Unsafe, Save, confidence, ZexaF, QmKfaypZ2tgj, PSWStealer, Eldorado, Attribute, HighConfidence, Lazy, FBStealer, score, PWSX, Ugil, Siggen17, Static AI, Malicious PE, Socelars, Disbuk, SpyBanker, ai score=81, RedLineStealer, Sabsik, 1XYZ9KF, Detected, R511320, BScope, Agentb, TppUMeSJi6V, EfXMZhOQIc0, susgen, GdSda)
md5	cfe181cb0be52169a6412c28c50c1c64
sha256	68c7921c5d3c2420d74c16014726727de338873c45e70ecff8ac95a64150f848
ssdeep	12288:RqlMhfymUyZzk8ri+hcGgn9cJBJYGahyHY2oSjSGwGLiGbylftuSq54:R5kxyZFe+hcGEXGwiY2jVwGGftH
imphash	526d106f2e7b63f735e9ba641d6bbefa
impfuzzy	6:oI0YZBJAEoZ/OEGDzyRF9BLYEAIr4/bU46pE:oeBABZG/DzQ9BLDAIr4jX

Network IP location

Signature (26cnts)

Level	Description
danger	File has been identified by 53 AntiVirus engines on VirusTotal as malicious
watch	Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic)
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An application raised an exception which may be indicative of an exploit crash
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Executes one or more WMI queries
notice	Foreign language identified in PE resource
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Queries for potentially installed applications
notice	Steals private information from local Internet browsers
notice	Terminates another process
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	One or more processes crashed
info	Queries for the computername
info	The file contains an unknown PE resource name possibly indicative of a packer
info	Tries to locate where the browsers are installed

Rules (43cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	infoStealer_browser_Zero	browser info stealer	memory
watch	Chrome_User_Data_Check_Zero	Google Chrome User Data Check	memory
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	Network_Downloader	File Downloader	memory
notice	BitCoin	Perform crypto currency mining	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	Persistence	Install itself for autorun at Windows startup	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	Virtual_currency_Zero	Virtual currency	memory
info	vmdetect	Possibly employs anti-virtualization techniques	memory
info	win_hook	Affect hook table	memory
info	Win_Trojan_agentTesla_Zero	Win.Trojan.agentTesla	memory

Network (5cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
https://www.icodeps.com/ whois	AS-CHOOPA	149.28.253.196	14280	mailcious
www.icodeps.com whois	AS-CHOOPA	149.28.253.196		mailcious
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
149.28.253.196 whois	AS-CHOOPA	149.28.253.196		mailcious
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x58dd78 FreeSid
KERNEL32.DLL
0x58dd80 LoadLibraryA
0x58dd84 ExitProcess
0x58dd88 GetProcAddress
0x58dd8c VirtualProtect
NETAPI32.dll
0x58dd94 Netbios
ntdll.dll
0x58dd9c NtClose
ole32.dll
0x58dda4 CoGetObject
SHELL32.dll
0x58ddac ShellExecuteExA
WININET.dll
0x58ddb4 InternetGetCookieExA

EAT(Export Address Table) is none

Report - mp3studios_95.exe

Signature (26cnts)

Rules (43cnts)

Network (5cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure