Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.08.29 20:39	Machine	s1_win7_x6401
Filename	voidlttt_crypted_LAB%20%283%29.exe
Type	PE32 executable (console) Intel 80386, for MS Windows
AI Score	4	Behavior Score	12.6
ZERO API	file : malware
VT API (file)	24 detected (AIDetectMalware, malicious, high confidence, Attribute, HighConfidence, GenKryptik, GNHF, TRICKBOT, Generic@AI, RDML, YZpsTaG6l8uvhCXM1mnWvw, Inject4, score, Static AI, Suspicious PE, R601742, ZexaF, HyY@aqWexcg, susgen, confidence)
md5	b081509178bb6a0cea93d70f7484999f
sha256	a89f46b1f68011abac6a6592beeb4c09a51e4772d3353416b7518f0e9f0bbc0b
ssdeep	12288:uwxlr6MV1XlbxJKVNEBNozRcqFf8ycq1WNlYPc9OObF:/NFRWVNoElf8ycuWNlY09bp
imphash	e88a529caf2666acedc4a4b0f2baa386
impfuzzy	24:YwcpVOZtlS1wGhlJBl3eDoLoEOovbOIHFZMv5GMAkEZHu9J:fcpVOZtlS1wGnpXc3gFZGn

Network IP location

Signature (28cnts)

Level	Description
danger	Executed a process and injected code into it
warning	File has been identified by 24 AntiVirus engines on VirusTotal as malicious
watch	Allocates execute permission to another process indicative of possible code injection
watch	Code injection by writing an executable or DLL to the memory of another process
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
watch	Executes one or more WMI queries
watch	Harvests credentials from local FTP client softwares
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Executes one or more WMI queries which can be used to identify virtual machines
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries for potentially installed applications
notice	Steals private information from local Internet browsers
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	Tries to locate where the browsers are installed
info	Uses Windows APIs to generate a cryptographic key

Rules (15cnts)

Level	Name	Description	Collection
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	Network_SMTP_dotNet	Communications smtp	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (4cnts) ?

Request	ASN Co	IP4	ZERO ?
https://api.ip.sb/ip whois	CLOUDFLARENET	104.26.13.31	clean
api.ip.sb whois	CLOUDFLARENET	172.67.75.172	clean
94.142.138.94 whois	Ihor Hosting LLC	94.142.138.94	mailcious
104.26.13.31 whois	CLOUDFLARENET	104.26.13.31	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x41e000 EncodePointer
0x41e004 DecodePointer
0x41e008 EnterCriticalSection
0x41e00c LeaveCriticalSection
0x41e010 InitializeCriticalSectionEx
0x41e014 DeleteCriticalSection
0x41e018 MultiByteToWideChar
0x41e01c WideCharToMultiByte
0x41e020 LCMapStringEx
0x41e024 GetStringTypeW
0x41e028 GetCPInfo
0x41e02c IsProcessorFeaturePresent
0x41e030 UnhandledExceptionFilter
0x41e034 SetUnhandledExceptionFilter
0x41e038 GetCurrentProcess
0x41e03c TerminateProcess
0x41e040 QueryPerformanceCounter
0x41e044 GetCurrentProcessId
0x41e048 GetCurrentThreadId
0x41e04c GetSystemTimeAsFileTime
0x41e050 InitializeSListHead
0x41e054 IsDebuggerPresent
0x41e058 GetStartupInfoW
0x41e05c GetModuleHandleW
0x41e060 CreateFileW
0x41e064 RaiseException
0x41e068 RtlUnwind
0x41e06c GetLastError
0x41e070 SetLastError
0x41e074 InitializeCriticalSectionAndSpinCount
0x41e078 TlsAlloc
0x41e07c TlsGetValue
0x41e080 TlsSetValue
0x41e084 TlsFree
0x41e088 FreeLibrary
0x41e08c GetProcAddress
0x41e090 LoadLibraryExW
0x41e094 GetStdHandle
0x41e098 WriteFile
0x41e09c GetModuleFileNameW
0x41e0a0 ExitProcess
0x41e0a4 GetModuleHandleExW
0x41e0a8 GetCommandLineA
0x41e0ac GetCommandLineW
0x41e0b0 HeapFree
0x41e0b4 HeapAlloc
0x41e0b8 CompareStringW
0x41e0bc LCMapStringW
0x41e0c0 GetLocaleInfoW
0x41e0c4 IsValidLocale
0x41e0c8 GetUserDefaultLCID
0x41e0cc EnumSystemLocalesW
0x41e0d0 GetFileType
0x41e0d4 CloseHandle
0x41e0d8 FlushFileBuffers
0x41e0dc GetConsoleOutputCP
0x41e0e0 GetConsoleMode
0x41e0e4 ReadFile
0x41e0e8 GetFileSizeEx
0x41e0ec SetFilePointerEx
0x41e0f0 ReadConsoleW
0x41e0f4 HeapReAlloc
0x41e0f8 FindClose
0x41e0fc FindFirstFileExW
0x41e100 FindNextFileW
0x41e104 IsValidCodePage
0x41e108 GetACP
0x41e10c GetOEMCP
0x41e110 GetEnvironmentStringsW
0x41e114 FreeEnvironmentStringsW
0x41e118 SetEnvironmentVariableW
0x41e11c SetStdHandle
0x41e120 GetProcessHeap
0x41e124 HeapSize
0x41e128 WriteConsoleW

EAT(Export Address Table) is none

Report - voidlttt_crypted_LAB%20%283%29.exe

Signature (28cnts)

Rules (15cnts)

Network (4cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure