Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.12.23 18:31	Machine	s1_win7_x6403
Filename	Rby1.exe
Type	PE32+ executable (GUI) x86-64, for MS Windows
AI Score	3	Behavior Score	16.8
ZERO API	file : malware
VT API (file)	29 detected (AIDetectMalware, Injuke, Lazy, Suspicioustrojan, Artemis, unsafe, Kryptik, Vigk, None, Attribute, HighConfidence, malicious, moderate confidence, Windigo, PWSX, Krypt, Detected, Wacatac, ai score=82, GenKryptik, WQDW)
md5	e0bc2140d5a10035fb6d3b4e1b46cdfe
sha256	4e2375353e49f18d6679c5372a688fc5c9a2ae3994830e6fe19e1cd20bc5ea6d
ssdeep	24576:aAlTCq3CQGpn2B5ziaj5n9798/dvDwP81d:tT5T6q5jjX798/dvDwP81d
imphash	b12336fa8cbb9bd1c3e11ad0d8477f71
impfuzzy	6:o41wT3WTD1Fz8IAg9Iay4PMtsUdRlYlFBJAEoZ/OEGDzyRdwk:o4MuD1Fwfay4PKrlYjABZG/Dzkwk

Network IP location

Signature (35cnts)

Level	Description
danger	Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning	File has been identified by 29 AntiVirus engines on VirusTotal as malicious
watch	Allocates execute permission to another process indicative of possible code injection
watch	Attempts to create or modify system certificates
watch	Attempts to identify installed AV products by installation directory
watch	Communicates with host for which no DNS query was performed
watch	Deletes a large number of files from the system indicative of ransomware
watch	Detects Virtual Machines through their custom firmware
watch	Detects VirtualBox through the presence of a file
watch	Drops 157 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch	Drops a binary and executes it
watch	Installs itself for autorun at Windows startup
watch	One or more of the buffers contains an embedded PE file
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process totcmauyzoxr462do2ysqcr9.exe
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates a shortcut to an executable file
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Queries for the computername

Rules (36cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_1_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	NSIS_Installer	Null Soft Installer	binaries (download)
watch	Admin_Tool_IN_Zero	Admin Tool Sysinternals	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	anti_vm_detect	Possibly employs anti-virtualization techniques	binaries (download)
info	bmp_file_format	bmp file format	binaries (download)
info	CAB_file_format	CAB archive file	binaries (download)
info	chm_file_format	chm file format	binaries (download)
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	docx	Word 2007 file format detection	binaries (download)
info	icon_file_format	icon file format	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE64	(no description)	binaries (download)
info	IsPE64	(no description)	binaries (upload)
info	JPEG_Format_Zero	JPEG Format	binaries (download)
info	lnk_file_format	Microsoft Windows Shortcut File Format	binaries (download)
info	Lnk_Format_Zero	LNK Format	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (download)
info	mzp_file_format	MZP(Delphi) file format	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	zip_file_format	ZIP file format	binaries (download)

Network (53cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://47.236.140.86/s/twty.exe whois		47.236.140.86		clean
http://91.92.254.7/scripts/plus.php?ip=175.208.134.152&substr=three&s=ab whois		91.92.254.7	38706	mailcious
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 whois	OPERASOFTWARE	107.167.110.211		clean
http://api.ipify.org/?format=wet whois	WEBNX	104.237.62.212		clean
http://galandskiyher5.com/downloads/toolspub4.exe whois		158.160.130.138		malware
http://5.42.64.35/InstallSetup3.exe whois	CJSC Kolomna-Sviaz TV	5.42.64.35		clean
http://5.42.64.35/syncUpd.exe whois	CJSC Kolomna-Sviaz TV	5.42.64.35	38707	malware
https://iplogger.com/1gDcm4 whois	CLOUDFLARENET	172.67.188.178		clean
https://iplogger.com/19hVA4 whois	CLOUDFLARENET	172.67.188.178		clean
https://randomdomainname.org/2cba948feb9c53fce4409f0079aec61c.exe whois	CLOUDFLARENET	104.21.30.5		clean
https://pastebin.com/raw/E0rY26ni whois	CLOUDFLARENET	104.20.68.143	37702	mailcious
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767 whois	OPERASOFTWARE	107.167.110.211		clean
https://budgienation.net/8c35a460636521ed0deef49f6749c0e3/2cba948feb9c53fce4409f0079aec61c.exe whois	CLOUDFLARENET	104.21.33.167		clean
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe whois	CLOUDFLARENET	104.21.93.225	36783	malware
https://yip.su/RNWPd.exe whois	CLOUDFLARENET	104.21.79.77	37623	malware
https://bitbucket.org/micaorrsoft/update/downloads/a01.exe whois	ATLASSIAN PTY LTD	104.192.141.1		clean
https://potatogoose.com/8c35a460636521ed0deef49f6749c0e3/baf14778c246e15550645e30ba78ce1c.exe whois	CLOUDFLARENET	172.67.180.173		clean
https://bbuseruploads.s3.amazonaws.com/c653674a-68fa-46c6-b413-9e71a0a3be60/downloads/7cc5bf80-2f20-4024-8172-c47af249efe9/a01.exe?response-content-disposition=attachment%3B%20filename%3D%22a01.exe%22&AWSAccessKeyId=ASIA6KOSE3BNLFZPBG6X&Signature=k4eYmK01 whois		3.5.28.176		clean
www.kaspersky.com whois	Kaspersky Lab AO	185.85.15.47		clean
flyawayaero.net whois	CLOUDFLARENET	104.21.93.225		malware
budgienation.net whois	CLOUDFLARENET	104.21.33.167		clean
bitbucket.org whois	ATLASSIAN PTY LTD	104.192.141.1		malware
malwarebytes.com whois	AUTOMATTIC	192.0.66.233		clean
api.ipify.org whois	WEBNX	104.237.62.212		clean
bbuseruploads.s3.amazonaws.com whois		52.217.101.204		malware
zonealarm.com whois	ZONEALARM-COM	209.87.209.205		clean
redirector.pm whois		194.49.94.85		malware
randomdomainname.org whois	CLOUDFLARENET	104.21.30.5		clean
pastebin.com whois	CLOUDFLARENET	172.67.34.170		mailcious
iplogger.com whois	CLOUDFLARENET	172.67.188.178		mailcious
net.geo.opera.com whois	OPERASOFTWARE	107.167.110.216		clean
galandskiyher5.com whois		158.160.130.138		malware
potatogoose.com whois	CLOUDFLARENET	172.67.180.173		malware
yip.su whois	CLOUDFLARENET	104.21.79.77		mailcious
104.21.30.5 whois	CLOUDFLARENET	104.21.30.5		clean
91.92.254.7 whois		91.92.254.7		mailcious
209.87.209.205 whois	ZONEALARM-COM	209.87.209.205		clean
158.160.130.138 whois		158.160.130.138		clean
104.21.33.167 whois	CLOUDFLARENET	104.21.33.167		clean
192.0.66.233 whois	AUTOMATTIC	192.0.66.233		clean
107.167.110.211 whois	OPERASOFTWARE	107.167.110.211		clean
3.5.28.176 whois		3.5.28.176		clean
185.85.15.46 whois	Kaspersky Lab AO	185.85.15.46		clean
104.21.93.225 whois	CLOUDFLARENET	104.21.93.225		phishing
104.21.79.77 whois	CLOUDFLARENET	104.21.79.77		phishing
5.42.64.35 whois	CJSC Kolomna-Sviaz TV	5.42.64.35		malware
104.20.68.143 whois	CLOUDFLARENET	104.20.68.143		mailcious
172.67.180.173 whois	CLOUDFLARENET	172.67.180.173		malware
172.67.188.178 whois	CLOUDFLARENET	172.67.188.178		mailcious
104.192.141.1 whois	ATLASSIAN PTY LTD	104.192.141.1		mailcious
47.236.140.86 whois		47.236.140.86		clean
194.49.94.85 whois		194.49.94.85		malware
64.185.227.156 whois	WEBNX	64.185.227.156		clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x140267844 EventWrite
api-ms-win-crt-heap-l1-1-0.dll
0x140267854 free
api-ms-win-crt-locale-l1-1-0.dll
0x140267864 _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll
0x140267874 ceil
api-ms-win-crt-runtime-l1-1-0.dll
0x140267884 exit
api-ms-win-crt-stdio-l1-1-0.dll
0x140267894 _set_fmode
api-ms-win-crt-string-l1-1-0.dll
0x1402678a4 strcmp
crypt.dll
0x1402678b4 BCryptDecrypt
KERNEL32.DLL
0x1402678c4 LoadLibraryA
0x1402678cc ExitProcess
0x1402678d4 GetProcAddress
0x1402678dc VirtualProtect
ole32.dll
0x1402678ec CoCreateGuid

EAT(Export Address Table) is none

Report - Rby1.exe

Signature (35cnts)

Rules (36cnts)

Network (53cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure