Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.05.18 09:47	Machine	s1_win7_x6403
Filename	build.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	8	Behavior Score	18.8
ZERO API	file : malware
VT API (file)	22 detected (AIDetectMalware, Stop, Save, malicious, high confidence, Mokes, Lockbit, high, score, StopCrypt, Sabsik, unsafe, Generic@AI, RDML, lB0mnTjFDtn1t4+O50PDZw, Static AI, Suspicious PE, susgen, confidence, 100%)
md5	c82632236e77359b2aaa32e0cc38cd99
sha256	e69e27dce851bfa86acb2f751f8d28668af08418f9ad2911ec4fe592f7f2ac81
ssdeep	12288:KdfL+IhkzIM+n5BX8mHKBNvpG7mqzEmTVTnXrbsd8cPDMhvQ:Kx+2kUb7/q/GVRTVzXXA7
imphash	5b776df520ace051c45f52eb27a73fee
impfuzzy	48:la6MeJ/cappYOY+fcatGX9thKGvSvZKAu:lfxzjYR+fcyGX9thhvShO

Network IP location

Signature (40cnts)

Level	Description
danger	Executed a process and injected code into it
warning	File has been identified by 22 AntiVirus engines on VirusTotal as malicious
watch	Allocates execute permission to another process indicative of possible code injection
watch	Attempts to access Bitcoin/ALTCoin wallets
watch	Attempts to create or modify system certificates
watch	Checks the CPU name from registry
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
watch	Executes one or more WMI queries
watch	Harvests credentials from local email clients
watch	Harvests credentials from local FTP client softwares
watch	Installs itself for autorun at Windows startup
watch	Network activity contains more than one unique useragent
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch	Uses suspicious command line tools or Windows utilities
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process build.exe
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Queries for potentially installed applications
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername
info	Tries to locate where the browsers are installed

Rules (33cnts)

Level	Name	Description	Collection
danger	Win32_PWS_Loki_Zero	Win32 PWS Loki	memory
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Suspicious_Obfuscation_Script_2	Suspicious obfuscation script (e.g. executable files)	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (18cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://colisumy.com/dl/build2.exe whois	Techtel LMDS Comunicaciones Interactivas S.A.	186.182.55.44	31026	malware
http://zexeq.com/raud/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true whois	SK Broadband Co Ltd	222.236.49.124	31029	mailcious
http://116.203.165.188/9dfa7ee730fa2f1efb5ed51dbbec22f5 whois	Hetzner Online GmbH	116.203.165.188		clean
http://116.203.165.188/ whois	Hetzner Online GmbH	116.203.165.188		clean
http://zexeq.com/files/1/build3.exe whois	SK Broadband Co Ltd	222.236.49.124	27913	malware
http://116.203.165.188/config.zip whois	Hetzner Online GmbH	116.203.165.188		clean
https://steamcommunity.com/profiles/76561199263069598 whois	AKAMAI-AS	23.37.146.163	32753	mailcious
t.me whois	Telegram Messenger Inc	149.154.167.99		mailcious
colisumy.com whois	SK Broadband Co Ltd	175.119.10.231		malware
api.2ip.ua whois	ACP	162.0.217.254		clean
steamcommunity.com whois	SHAW	69.192.92.139		mailcious
zexeq.com whois	Uninet S.A. de C.V.	201.124.218.111		malware
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99		mailcious
23.37.146.163 whois	AKAMAI-AS	23.37.146.163		clean
123.140.161.243 whois	LG DACOM Corporation	123.140.161.243		mailcious
162.0.217.254 whois	ACP	162.0.217.254		clean
116.203.165.188 whois	Hetzner Online GmbH	116.203.165.188		clean
222.236.49.124 whois	SK Broadband Co Ltd	222.236.49.124		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x401000 SearchPathW
0x401004 EnumCalendarInfoA
0x401008 GetDriveTypeW
0x40100c GetConsoleAliasExesLengthA
0x401010 InterlockedIncrement
0x401014 InterlockedDecrement
0x401018 HeapFree
0x40101c FreeEnvironmentStringsA
0x401020 MoveFileWithProgressA
0x401024 GetTickCount
0x401028 GetSystemTimeAsFileTime
0x40102c EnumTimeFormatsA
0x401030 SetProcessPriorityBoost
0x401034 GetVolumePathNameW
0x401038 GlobalAlloc
0x40103c GetPrivateProfileIntA
0x401040 AddRefActCtx
0x401044 LoadLibraryW
0x401048 IsProcessInJob
0x40104c GetCalendarInfoA
0x401050 InitAtomTable
0x401054 GetFileAttributesW
0x401058 CompareStringW
0x40105c MultiByteToWideChar
0x401060 GetStringTypeExA
0x401064 GetProfileIntA
0x401068 GetLastError
0x40106c GetCurrentDirectoryW
0x401070 GetProcAddress
0x401074 SetComputerNameA
0x401078 WriteConsoleA
0x40107c SetCalendarInfoW
0x401080 AddAtomW
0x401084 RemoveDirectoryW
0x401088 SetFileApisToANSI
0x40108c BeginUpdateResourceA
0x401090 GetModuleFileNameA
0x401094 FindFirstVolumeMountPointA
0x401098 CreateIoCompletionPort
0x40109c GetModuleHandleA
0x4010a0 lstrcatW
0x4010a4 FreeEnvironmentStringsW
0x4010a8 FindNextFileW
0x4010ac FileTimeToLocalFileTime
0x4010b0 GetVolumeNameForVolumeMountPointW
0x4010b4 DeleteFileW
0x4010b8 EnumSystemLocalesW
0x4010bc CloseHandle
0x4010c0 WriteConsoleW
0x4010c4 EncodePointer
0x4010c8 DecodePointer
0x4010cc Sleep
0x4010d0 InitializeCriticalSection
0x4010d4 DeleteCriticalSection
0x4010d8 EnterCriticalSection
0x4010dc LeaveCriticalSection
0x4010e0 MoveFileA
0x4010e4 GetCommandLineA
0x4010e8 HeapSetInformation
0x4010ec GetStartupInfoW
0x4010f0 RaiseException
0x4010f4 RtlUnwind
0x4010f8 HeapAlloc
0x4010fc WideCharToMultiByte
0x401100 LCMapStringW
0x401104 GetCPInfo
0x401108 GetModuleHandleW
0x40110c ExitProcess
0x401110 UnhandledExceptionFilter
0x401114 SetUnhandledExceptionFilter
0x401118 IsDebuggerPresent
0x40111c TerminateProcess
0x401120 GetCurrentProcess
0x401124 IsProcessorFeaturePresent
0x401128 HeapCreate
0x40112c SetFilePointer
0x401130 SetHandleCount
0x401134 GetStdHandle
0x401138 InitializeCriticalSectionAndSpinCount
0x40113c GetFileType
0x401140 WriteFile
0x401144 GetModuleFileNameW
0x401148 GetEnvironmentStringsW
0x40114c TlsAlloc
0x401150 TlsGetValue
0x401154 TlsSetValue
0x401158 TlsFree
0x40115c SetLastError
0x401160 GetCurrentThreadId
0x401164 QueryPerformanceCounter
0x401168 GetCurrentProcessId
0x40116c GetLocaleInfoW
0x401170 HeapSize
0x401174 GetACP
0x401178 GetOEMCP
0x40117c IsValidCodePage
0x401180 GetUserDefaultLCID
0x401184 GetLocaleInfoA
0x401188 EnumSystemLocalesA
0x40118c IsValidLocale
0x401190 GetStringTypeW
0x401194 HeapReAlloc
0x401198 SetStdHandle
0x40119c GetConsoleCP
0x4011a0 GetConsoleMode
0x4011a4 FlushFileBuffers
0x4011a8 CreateFileW
USER32.dll
0x4011b0 DefDlgProcW

EAT(Export Address Table) is none

Report - build.exe

Signature (40cnts)

Rules (33cnts)

Network (18cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure