Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.07.31 17:49	Machine	s1_win7_x6403
Filename	zdkecjb7.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	5	Behavior Score	14.4
ZERO API
VT API (file)	55 detected (AIDetectMalware, malicious, high confidence, DownLoader45, GenericKD, Artemis, Save, confidence, 100%, Genus, ABTrojan, RIEV, Whispergate, GenKryptik, GMGP, score, jxpmxn, PWSX, Gencirc, high, Sabsik, Malware@#2gtiotiewmcc, Redline, Detected, BScope, TrojanPSW, ai score=88, unsafe, Chgt, R002H09GQ23, Generic@AI, RDML, TwpUDTHxJ+B8pA4e7LekxQ, O7swy7lEpns, Krypt, susgen, ETBS)
md5	2eb21acbab653f9007db89469ca991c9
sha256	9ed0ffeb25bd64d20de3ae1a0134f535534e1bf66fba1a04a3b864b274ee5dc7
ssdeep	24576:74TY5HReB07yCo6OVtsdEFL/G3HciUfYgwJSUW99xNdkQ7+OT:8KHoayCqGuw3H+DPTxNdkYT
imphash	7171dd3cc2e067362ea92a90a83c63fe
impfuzzy	24:m3RokB5AAMUxQKAWJcpH+Pd2akbjeDPjslu3t8qbJe99r9OovbO3kPvNRZHu9T:m3RDPBoWJcpH+Pds9at8qOZo30nk

Network IP location

Signature (29cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 55 AntiVirus engines on VirusTotal as malicious
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Manipulates memory of a non-child process indicative of process injection
watch	One or more non-whitelisted processes were created
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	Uses Windows APIs to generate a cryptographic key

Rules (23cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	anti_vm_detect	Possibly employs anti-virtualization techniques	binaries (download)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PowerShell	PowerShell script	scripts
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (15cnts) ?

Request	ASN Co	IP4	Rule ?
http://www.microsoft.com/ whois	America Movil Peru S.A.C.	23.209.109.149
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone whois	TUT-AS	208.95.112.1
http://46.29.235.84/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys whois	JSC Eurotelecom	46.29.235.84
http://pastebin.com/raw/r0KhEEzi whois	CLOUDFLARENET	172.67.34.170	35402
https://pastebin.com/raw/r0KhEEzi whois	CLOUDFLARENET	104.20.68.143	35401
ip-api.com whois	TUT-AS	208.95.112.1
pastebin.com whois	CLOUDFLARENET	104.20.68.143
www.microsoft.com whois	AKAMAI-AS	23.210.41.137
185.149.146.118 whois	Foton Telecom CJSC	185.149.146.118
185.159.129.168 whois	IT Outsourcing LLC	185.159.129.168
77.91.77.144 whois	Foton Telecom CJSC	77.91.77.144
104.20.68.143 whois	CLOUDFLARENET	104.20.68.143
208.95.112.1 whois	TUT-AS	208.95.112.1
46.29.235.84 whois	JSC Eurotelecom	46.29.235.84
104.76.29.199 whois	Akamai International B.V.	104.76.29.199

Suricata ids

PE API

IAT(Import Address Table) Library

USER32.dll
0x41a174 SetWindowRgn
0x41a178 DdeReconnect
0x41a17c SetWindowDisplayAffinity
ole32.dll
0x41a18c OleSave
0x41a190 ReleaseStgMedium
GDI32.dll
0x41a000 RestoreDC
0x41a004 CreateBitmapIndirect
0x41a008 AngleArc
WS2_32.dll
0x41a184 WSAStartup
KERNEL32.dll
0x41a010 HeapSize
0x41a014 CreateFileW
0x41a018 WriteConsoleW
0x41a01c HeapReAlloc
0x41a020 SetEvent
0x41a024 GetConsoleMode
0x41a028 GetConsoleOutputCP
0x41a02c VirtualProtect
0x41a030 RaiseException
0x41a034 InitializeSRWLock
0x41a038 ReleaseSRWLockExclusive
0x41a03c AcquireSRWLockExclusive
0x41a040 EnterCriticalSection
0x41a044 LeaveCriticalSection
0x41a048 InitializeCriticalSectionEx
0x41a04c TryEnterCriticalSection
0x41a050 DeleteCriticalSection
0x41a054 GetCurrentThreadId
0x41a058 InitializeConditionVariable
0x41a05c WakeConditionVariable
0x41a060 WakeAllConditionVariable
0x41a064 SleepConditionVariableCS
0x41a068 SleepConditionVariableSRW
0x41a06c InitOnceBeginInitialize
0x41a070 InitOnceComplete
0x41a074 GetLastError
0x41a078 FreeLibraryWhenCallbackReturns
0x41a07c CreateThreadpoolWork
0x41a080 SubmitThreadpoolWork
0x41a084 CloseThreadpoolWork
0x41a088 GetModuleHandleExW
0x41a08c IsProcessorFeaturePresent
0x41a090 QueryPerformanceCounter
0x41a094 GetSystemTimeAsFileTime
0x41a098 GetModuleHandleW
0x41a09c GetProcAddress
0x41a0a0 CloseHandle
0x41a0a4 WaitForSingleObjectEx
0x41a0a8 InitializeCriticalSectionAndSpinCount
0x41a0ac DecodePointer
0x41a0b0 ResetEvent
0x41a0b4 CreateEventW
0x41a0b8 IsDebuggerPresent
0x41a0bc UnhandledExceptionFilter
0x41a0c0 SetUnhandledExceptionFilter
0x41a0c4 GetStartupInfoW
0x41a0c8 GetCurrentProcess
0x41a0cc TerminateProcess
0x41a0d0 GetCurrentProcessId
0x41a0d4 InitializeSListHead
0x41a0d8 FlushFileBuffers
0x41a0dc RtlUnwind
0x41a0e0 SetLastError
0x41a0e4 EncodePointer
0x41a0e8 TlsAlloc
0x41a0ec TlsGetValue
0x41a0f0 TlsSetValue
0x41a0f4 TlsFree
0x41a0f8 FreeLibrary
0x41a0fc LoadLibraryExW
0x41a100 ExitProcess
0x41a104 GetModuleFileNameW
0x41a108 GetStdHandle
0x41a10c WriteFile
0x41a110 GetCommandLineA
0x41a114 GetCommandLineW
0x41a118 HeapAlloc
0x41a11c HeapFree
0x41a120 CompareStringW
0x41a124 LCMapStringW
0x41a128 GetFileType
0x41a12c GetFileSizeEx
0x41a130 SetFilePointerEx
0x41a134 FindClose
0x41a138 FindFirstFileExW
0x41a13c FindNextFileW
0x41a140 IsValidCodePage
0x41a144 GetACP
0x41a148 GetOEMCP
0x41a14c GetCPInfo
0x41a150 MultiByteToWideChar
0x41a154 WideCharToMultiByte
0x41a158 GetEnvironmentStringsW
0x41a15c FreeEnvironmentStringsW
0x41a160 SetEnvironmentVariableW
0x41a164 GetProcessHeap
0x41a168 SetStdHandle
0x41a16c GetStringTypeW

EAT(Export Address Table) is none

Report - zdkecjb7.exe

Signature (29cnts)

Rules (23cnts)

Network (15cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure