Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.03.09 10:04	Machine	s1_win7_x6401
Filename	sqlcmd.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	10.0
ZERO API	file : malware
VT API (file)	33 detected (Artemis, Save, Kryptik, malicious, confidence, 100%, Attribute, HighConfidence, high confidence, HROL, score, Coins, CrypterX, Generic ML PUA, NetLoader, ai score=82, Sabsik, L5MVQP, PowershellDownloader, R561248, ZexaF, myW@auLYVBdi, unsafe, Generic@AI, RDML, Su5sB, wAsy01K5Ai3qViLg)
md5	fc4462b1448b7db9f905be31b1bb288d
sha256	87884144ff48d4fb0b4dc7d7677369524be8042dd195a1080fddba1dda290821
ssdeep	3072:3M7l92L2002YwWly6kAeGj7wYp3wwXmx9y7WAMWkQh0khzlqsy7Ft6:c7l9/K9TAMk+sy736
imphash	b10f24f888005218ad8da0ee59d3b6f9
impfuzzy	24:+BKkhMULu9MBrglZUfjtMS1gNbJnc+pl3eDoupSOovbOwZiv5he:+BKkDp4atMS1gNlc+pp23/5he

Network IP location

Signature (23cnts)

Level	Description
danger	File has been identified by 33 AntiVirus engines on VirusTotal as malicious
watch	Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch	The process powershell.exe wrote an executable file to disk
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Drops an executable to the user AppData folder
notice	Performs some HTTP requests
notice	Poweshell is sending data to a remote host
notice	URL downloaded by powershell script
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Powershell script has download & invoke calls
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer
info	Uses Windows APIs to generate a cryptographic key

Rules (16cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PowerShell	PowerShell script	scripts
info	PowershellDI	Extract Download/Invoke calls from powershell script	scripts

Network (5cnts) ?

Request	ASN Co	IP4	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois	CCCH-3	23.216.159.81	clean
apps.identrust.com whois	CCCH-3	23.216.159.81	clean
www.imagn.world whois	CLOUDFLARENET	104.26.6.106	malware
172.67.75.82 whois	CLOUDFLARENET	172.67.75.82	malware
121.254.136.57 whois	LG DACOM Corporation	121.254.136.57	clean

Suricata ids

PE API

IAT(Import Address Table) Library

WININET.dll
0x41d140 InternetReadFile
0x41d144 InternetCloseHandle
0x41d148 InternetCrackUrlW
0x41d14c InternetOpenW
0x41d150 InternetOpenUrlW
0x41d154 InternetQueryDataAvailable
SHLWAPI.dll
0x41d12c StrStrW
0x41d130 wnsprintfW
KERNEL32.dll
0x41d00c SetFilePointerEx
0x41d010 GetConsoleMode
0x41d014 GetConsoleOutputCP
0x41d018 FlushFileBuffers
0x41d01c WriteFile
0x41d020 GetModuleFileNameW
0x41d024 GetEnvironmentVariableW
0x41d028 CreateFileW
0x41d02c GetFileAttributesW
0x41d030 GetSystemWow64DirectoryW
0x41d034 GetLastError
0x41d038 WriteConsoleW
0x41d03c lstrcatW
0x41d040 CloseHandle
0x41d044 ExitProcess
0x41d048 GetModuleHandleW
0x41d04c lstrcpyW
0x41d050 GetTempFileNameW
0x41d054 HeapFree
0x41d058 HeapReAlloc
0x41d05c HeapAlloc
0x41d060 GetProcessHeap
0x41d064 WideCharToMultiByte
0x41d068 HeapSize
0x41d06c EncodePointer
0x41d070 LoadLibraryA
0x41d074 UnhandledExceptionFilter
0x41d078 SetUnhandledExceptionFilter
0x41d07c GetCurrentProcess
0x41d080 TerminateProcess
0x41d084 IsProcessorFeaturePresent
0x41d088 QueryPerformanceCounter
0x41d08c GetCurrentProcessId
0x41d090 GetCurrentThreadId
0x41d094 GetSystemTimeAsFileTime
0x41d098 InitializeSListHead
0x41d09c IsDebuggerPresent
0x41d0a0 GetStartupInfoW
0x41d0a4 RaiseException
0x41d0a8 DecodePointer
0x41d0ac RtlUnwind
0x41d0b0 SetLastError
0x41d0b4 EnterCriticalSection
0x41d0b8 LeaveCriticalSection
0x41d0bc DeleteCriticalSection
0x41d0c0 InitializeCriticalSectionAndSpinCount
0x41d0c4 TlsAlloc
0x41d0c8 TlsGetValue
0x41d0cc TlsSetValue
0x41d0d0 TlsFree
0x41d0d4 FreeLibrary
0x41d0d8 GetProcAddress
0x41d0dc LoadLibraryExW
0x41d0e0 GetStdHandle
0x41d0e4 GetModuleHandleExW
0x41d0e8 FindClose
0x41d0ec FindFirstFileExW
0x41d0f0 FindNextFileW
0x41d0f4 IsValidCodePage
0x41d0f8 GetACP
0x41d0fc GetOEMCP
0x41d100 GetCPInfo
0x41d104 GetCommandLineA
0x41d108 GetCommandLineW
0x41d10c MultiByteToWideChar
0x41d110 GetEnvironmentStringsW
0x41d114 FreeEnvironmentStringsW
0x41d118 SetStdHandle
0x41d11c GetFileType
0x41d120 GetStringTypeW
0x41d124 LCMapStringW
USER32.dll
0x41d138 wsprintfW
ADVAPI32.dll
0x41d000 GetSidSubAuthority
0x41d004 GetSidSubAuthorityCount

EAT(Export Address Table) is none

Report - sqlcmd.exe

Signature (23cnts)

Rules (16cnts)

Network (5cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure