Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.09.19 18:15	Machine	s1_win7_x6401
Filename	updater.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	12.8
ZERO API	file : malware
VT API (file)	63 detected (VinaPhuonterOD, Agentb, ts68, Dacic, Save, Remcos, malicious, Genus, Antiav, INDT, Windows, AveMaria, Warzone, score, jiad, fljpfv, Gencirc, Redcap, ghjpt, Maria, MOCRT, high, Behav, Static AI, Malicious PE, ai score=80, WarzoneRAT, Detected, R263895, ZexaF, iyW@aiQHI7li, unsafe, Genetic, CLASSIC, susgen, confidence, 100%)
md5	95c3df5b6840fc840c329011aa1a1afd
sha256	b39ac7708b7795a7a80973d6a74abfc3ab6bef76f4f6d817a14f3648e2a3448b
ssdeep	3072:K7W9jps0Tx4azG6GweOTir5axbjNCz45LT7a:KwpsERzGKurEXCzeLT7a
imphash	56fc94e02d7bc310030753938e49a91a
impfuzzy	96:Ai88luyscd95l+/IHeMCDr5pKyBmAKncGKCoh5mCp6wvfC:AFyJ00eMCDr5pXnRRtfC

Network IP location

Signature (30cnts)

Level	Description
danger	File has been identified by 63 AntiVirus engines on VirusTotal as malicious
watch	Allocates execute permission to another process indicative of possible code injection
watch	Attempts to remove evidence of file being downloaded from the Internet
watch	Creates an Alternate Data Stream (ADS)
watch	Installs itself for autorun at Windows startup
watch	Operates on local firewall's policies and settings
watch	Potential code injection by writing to the memory of another process
watch	The process powershell.exe wrote an executable file to disk
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice	Connects to a Dynamic DNS Domain
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	Executes one or more WMI queries
notice	Foreign language identified in PE resource
notice	One or more potentially interesting buffers were extracted
notice	Terminates another process
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername
info	The file contains an unknown PE resource name possibly indicative of a packer
info	Uses Windows APIs to generate a cryptographic key

Rules (19cnts)

Level	Name	Description	Collection
danger	Ave_Maria_Zero	Remote Access Trojan that is also called WARZONE RAT	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	Network_Downloader	File Downloader	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (6cnts) ?

Request	ASN Co	IP4	ZERO ?
microsoft.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.112.250.133	clean
remotes1338.hopto.org whois	Linode, LLC	172.105.234.48	mailcious
filebin.net whois	Redpill Linpro AS	185.47.40.36	malware
172.105.234.48 whois	Linode, LLC	172.105.234.48	mailcious
20.236.44.162 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.236.44.162	clean
185.47.40.36 whois	Redpill Linpro AS	185.47.40.36	malware

Suricata ids

PE API

IAT(Import Address Table) Library

webservices.dll
0x419370 WsFileTimeToDateTime
crypt.dll
0x41933c BCryptSetProperty
0x419340 BCryptGenerateSymmetricKey
0x419344 BCryptOpenAlgorithmProvider
0x419348 BCryptDecrypt
KERNEL32.dll
0x41908c lstrcpyW
0x419090 GetTickCount
0x419094 HeapAlloc
0x419098 GetProcessHeap
0x41909c GetCommandLineA
0x4190a0 GetStartupInfoA
0x4190a4 HeapFree
0x4190a8 VirtualAlloc
0x4190ac HeapReAlloc
0x4190b0 VirtualQuery
0x4190b4 LocalAlloc
0x4190b8 LocalFree
0x4190bc SystemTimeToFileTime
0x4190c0 TerminateThread
0x4190c4 CreateThread
0x4190c8 WriteProcessMemory
0x4190cc GetCurrentProcess
0x4190d0 OpenProcess
0x4190d4 GetWindowsDirectoryA
0x4190d8 VirtualProtectEx
0x4190dc VirtualAllocEx
0x4190e0 CreateRemoteThread
0x4190e4 GetModuleHandleW
0x4190e8 IsWow64Process
0x4190ec WriteFile
0x4190f0 CreateFileW
0x4190f4 LoadLibraryW
0x4190f8 GetLocalTime
0x4190fc GetCurrentThreadId
0x419100 GetCurrentProcessId
0x419104 ReadFile
0x419108 FindFirstFileA
0x41910c GetBinaryTypeW
0x419110 FindNextFileA
0x419114 GetFullPathNameA
0x419118 CreateFileA
0x41911c GlobalAlloc
0x419120 GetCurrentDirectoryW
0x419124 lstrcmpA
0x419128 GetFileSize
0x41912c FreeLibrary
0x419130 SetDllDirectoryW
0x419134 GetFileSizeEx
0x419138 WaitForSingleObject
0x41913c WaitForMultipleObjects
0x419140 CreatePipe
0x419144 PeekNamedPipe
0x419148 DuplicateHandle
0x41914c SetEvent
0x419150 CreateProcessW
0x419154 CreateEventA
0x419158 GetModuleFileNameW
0x41915c WideCharToMultiByte
0x419160 LoadResource
0x419164 FindResourceW
0x419168 GetComputerNameW
0x41916c GlobalMemoryStatusEx
0x419170 LoadLibraryExW
0x419174 FindFirstFileW
0x419178 FindNextFileW
0x41917c SetFilePointer
0x419180 GetLogicalDriveStringsW
0x419184 CopyFileW
0x419188 GetDriveTypeW
0x41918c EnterCriticalSection
0x419190 LeaveCriticalSection
0x419194 lstrlenA
0x419198 DeleteCriticalSection
0x41919c CreateMutexA
0x4191a0 ReleaseMutex
0x4191a4 TerminateProcess
0x4191a8 K32GetModuleFileNameExW
0x4191ac CreateToolhelp32Snapshot
0x4191b0 Process32NextW
0x4191b4 Process32FirstW
0x4191b8 DeleteFileW
0x4191bc SizeofResource
0x4191c0 VirtualProtect
0x4191c4 GetSystemDirectoryW
0x4191c8 LockResource
0x4191cc GetWindowsDirectoryW
0x4191d0 Process32First
0x4191d4 Process32Next
0x4191d8 GetTempPathA
0x4191dc ExpandEnvironmentStringsW
0x4191e0 lstrlenW
0x4191e4 lstrcmpW
0x4191e8 CreateProcessA
0x4191ec WinExec
0x4191f0 ExitProcess
0x4191f4 GetProcAddress
0x4191f8 lstrcpyA
0x4191fc CloseHandle
0x419200 lstrcatW
0x419204 LoadLibraryA
0x419208 GetLastError
0x41920c GetPrivateProfileStringW
0x419210 GetModuleHandleA
0x419214 GetTempPathW
0x419218 VirtualFree
0x41921c SetLastError
0x419220 Sleep
0x419224 GetModuleFileNameA
0x419228 CreateDirectoryW
0x41922c MultiByteToWideChar
0x419230 lstrcatA
0x419234 SetCurrentDirectoryW
0x419238 InitializeCriticalSection
USER32.dll
0x419298 GetKeyState
0x41929c GetMessageA
0x4192a0 DispatchMessageA
0x4192a4 CreateWindowExW
0x4192a8 CallNextHookEx
0x4192ac GetAsyncKeyState
0x4192b0 RegisterClassW
0x4192b4 GetRawInputData
0x4192b8 MapVirtualKeyA
0x4192bc DefWindowProcA
0x4192c0 RegisterRawInputDevices
0x4192c4 TranslateMessage
0x4192c8 ToUnicode
0x4192cc wsprintfW
0x4192d0 PostQuitMessage
0x4192d4 GetLastInputInfo
0x4192d8 GetForegroundWindow
0x4192dc GetWindowTextW
0x4192e0 wsprintfA
0x4192e4 GetKeyNameTextW
0x4192e8 CharLowerW
ADVAPI32.dll
0x419000 RegDeleteValueW
0x419004 LookupPrivilegeValueW
0x419008 AdjustTokenPrivileges
0x41900c AllocateAndInitializeSid
0x419010 OpenProcessToken
0x419014 FreeSid
0x419018 LookupAccountSidW
0x41901c RegCreateKeyExW
0x419020 RegDeleteKeyW
0x419024 InitializeSecurityDescriptor
0x419028 RegDeleteKeyA
0x41902c SetSecurityDescriptorDacl
0x419030 RegQueryValueExW
0x419034 RegOpenKeyExW
0x419038 RegOpenKeyExA
0x41903c RegEnumKeyExW
0x419040 RegQueryValueExA
0x419044 RegQueryInfoKeyW
0x419048 RegCloseKey
0x41904c OpenServiceW
0x419050 ChangeServiceConfigW
0x419054 QueryServiceConfigW
0x419058 EnumServicesStatusExW
0x41905c StartServiceW
0x419060 RegSetValueExW
0x419064 RegCreateKeyExA
0x419068 OpenSCManagerW
0x41906c CloseServiceHandle
0x419070 GetTokenInformation
0x419074 RegSetValueExA
SHELL32.dll
0x419254 SHGetFolderPathW
0x419258 ShellExecuteExA
0x41925c None
0x419260 SHGetKnownFolderPath
0x419264 SHFileOperationW
0x419268 SHGetSpecialFolderPathW
0x41926c SHCreateDirectoryExW
0x419270 ShellExecuteW
urlmon.dll
0x419368 URLDownloadToFileW
WS2_32.dll
0x4192f8 getaddrinfo
0x4192fc setsockopt
0x419300 freeaddrinfo
0x419304 htons
0x419308 recv
0x41930c socket
0x419310 send
0x419314 WSAConnect
0x419318 WSAStartup
0x41931c shutdown
0x419320 closesocket
0x419324 WSACleanup
0x419328 connect
0x41932c InetNtopW
0x419330 gethostbyname
0x419334 inet_addr
ole32.dll
0x419350 CoCreateInstance
0x419354 CoInitialize
0x419358 CoTaskMemFree
0x41935c CoUninitialize
0x419360 CoInitializeSecurity
SHLWAPI.dll
0x419278 StrStrW
0x41927c PathFindExtensionW
0x419280 PathCombineA
0x419284 PathFindFileNameW
0x419288 StrStrA
0x41928c PathRemoveFileSpecA
0x419290 PathFileExistsW
NETAPI32.dll
0x419240 NetUserAdd
0x419244 NetLocalGroupAddMembers
OLEAUT32.dll
0x41924c VariantInit
CRYPT32.dll
0x41907c CryptUnprotectData
0x419080 CryptStringToBinaryA
0x419084 CryptStringToBinaryW
WININET.dll
0x4192f0 InternetTimeToSystemTimeA

EAT(Export Address Table) is none

Report - updater.exe

Signature (30cnts)

Rules (19cnts)

Network (6cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure