Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.06.10 10:10	Machine	s1_win7_x6401
Filename	loader-1001.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
AI Score	9	Behavior Score	10.2
ZERO API	file : malware
VT API (file)	31 detected (AIDetectMalware, Unsafe, V3ip, malicious, high confidence, Artemis, NSIS, PWSX, VIDAR, YXEEBZ, moderate, score, Phonzy, ABRisk, CKWD, Static AI, Suspicious PE, PossibleThreat)
md5	58ca6d5068fa4fed981cf5ef8a04e4d5
sha256	abc83f0b74c53bc98b6147e7fcc2a41c0a925bce79636b9557c0bb372e4f1205
ssdeep	1536:XferrLkSRoe8C4UZsys0Dh1duFp+FI+PlQ:Xfi3k+oWDBDh1duFpDWlQ
imphash	f4639a0b3116c2cfc71144b88a929cfd
impfuzzy	48:7/dKePusa/toE77+nzEqQ7/allLHAOe+ztlkAOr8L5Sv0WbP06Uyv5/1byAknBoJ:bdKemvafl5APkTPF84O

Network IP location

Signature (25cnts)

Level	Description
danger	File has been identified by 31 AntiVirus engines on VirusTotal as malicious
watch	Creates a suspicious Powershell process
watch	Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	The process powershell.exe wrote an executable file to disk
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Poweshell is sending data to a remote host
notice	URL downloaded by powershell script
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	One or more processes crashed
info	Queries for the computername
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	Uses Windows APIs to generate a cryptographic key

Rules (47cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	NSIS_Installer	Null Soft Installer	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Network_Downloader	File Downloader	memory
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	mzp_file_format	MZP(Delphi) file format	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	PowerShell	PowerShell script	scripts
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	win_hook	Affect hook table	memory

Network (14cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.210.247.57		clean
https://cdn-edge-node.com/online_security_mkl.exe whois	CLOUDFLARENET	172.67.165.254	39716	mailcious
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1001 whois	AMAZON-02	13.225.110.102	39690	mailcious
https://d2lvl7wmj7b91p.cloudfront.net/load/load.php?c=1001 whois		54.230.169.11		clean
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1001 whois	AMAZON-02	13.225.110.102	39689	mailcious
d2lvl7wmj7b91p.cloudfront.net whois		54.230.169.96		clean
d22hce23hy1ej9.cloudfront.net whois	AMAZON-02	13.225.110.70		mailcious
adblock2024.shop whois	CLOUDFLARENET	104.21.43.83		mailcious
cdn-edge-node.com whois	CLOUDFLARENET	104.21.11.117		mailcious
54.230.169.11 whois		54.230.169.11		clean
172.67.165.254 whois	CLOUDFLARENET	172.67.165.254		mailcious
121.254.136.18 whois	LG DACOM Corporation	121.254.136.18		clean
13.225.110.102 whois	AMAZON-02	13.225.110.102		clean
172.67.176.247 whois	CLOUDFLARENET	172.67.176.247		clean

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x408000 RegEnumValueW
0x408004 RegEnumKeyW
0x408008 RegQueryValueExW
0x40800c RegSetValueExW
0x408010 RegCloseKey
0x408014 RegDeleteValueW
0x408018 RegDeleteKeyW
0x40801c AdjustTokenPrivileges
0x408020 LookupPrivilegeValueW
0x408024 OpenProcessToken
0x408028 RegOpenKeyExW
0x40802c RegCreateKeyExW
SHELL32.dll
0x408174 SHGetPathFromIDListW
0x408178 SHBrowseForFolderW
0x40817c SHGetFileInfoW
0x408180 SHFileOperationW
0x408184 ShellExecuteExW
ole32.dll
0x408290 CoCreateInstance
0x408294 OleUninitialize
0x408298 OleInitialize
0x40829c IIDFromString
0x4082a0 CoTaskMemFree
COMCTL32.dll
0x408034 ImageList_Destroy
0x408038 None
0x40803c ImageList_AddMasked
0x408040 ImageList_Create
USER32.dll
0x40818c MessageBoxIndirectW
0x408190 GetDlgItemTextW
0x408194 SetDlgItemTextW
0x408198 CreatePopupMenu
0x40819c AppendMenuW
0x4081a0 TrackPopupMenu
0x4081a4 OpenClipboard
0x4081a8 EmptyClipboard
0x4081ac SetClipboardData
0x4081b0 CloseClipboard
0x4081b4 IsWindowVisible
0x4081b8 CallWindowProcW
0x4081bc GetMessagePos
0x4081c0 CheckDlgButton
0x4081c4 LoadCursorW
0x4081c8 SetCursor
0x4081cc GetSysColor
0x4081d0 SetWindowPos
0x4081d4 GetWindowLongW
0x4081d8 IsWindowEnabled
0x4081dc SetClassLongW
0x4081e0 GetSystemMenu
0x4081e4 EnableMenuItem
0x4081e8 GetWindowRect
0x4081ec ScreenToClient
0x4081f0 EndDialog
0x4081f4 RegisterClassW
0x4081f8 SystemParametersInfoW
0x4081fc CharPrevW
0x408200 GetClassInfoW
0x408204 DialogBoxParamW
0x408208 CharNextW
0x40820c ExitWindowsEx
0x408210 DestroyWindow
0x408214 CreateDialogParamW
0x408218 SetTimer
0x40821c SetWindowTextW
0x408220 PostQuitMessage
0x408224 SetForegroundWindow
0x408228 ShowWindow
0x40822c wsprintfW
0x408230 SendMessageTimeoutW
0x408234 FindWindowExW
0x408238 IsWindow
0x40823c GetDlgItem
0x408240 SetWindowLongW
0x408244 LoadImageW
0x408248 GetDC
0x40824c ReleaseDC
0x408250 EnableWindow
0x408254 InvalidateRect
0x408258 SendMessageW
0x40825c DefWindowProcW
0x408260 BeginPaint
0x408264 GetClientRect
0x408268 FillRect
0x40826c DrawTextW
0x408270 EndPaint
0x408274 CharNextA
0x408278 wsprintfA
0x40827c DispatchMessageW
0x408280 CreateWindowExW
0x408284 PeekMessageW
0x408288 GetSystemMetrics
GDI32.dll
0x408048 GetDeviceCaps
0x40804c SetBkColor
0x408050 SelectObject
0x408054 DeleteObject
0x408058 CreateBrushIndirect
0x40805c CreateFontIndirectW
0x408060 SetBkMode
0x408064 SetTextColor
KERNEL32.dll
0x40806c lstrcmpiA
0x408070 CreateFileW
0x408074 GetTempFileNameW
0x408078 RemoveDirectoryW
0x40807c CreateProcessW
0x408080 CreateDirectoryW
0x408084 GetLastError
0x408088 CreateThread
0x40808c GlobalLock
0x408090 GlobalUnlock
0x408094 GetDiskFreeSpaceW
0x408098 WideCharToMultiByte
0x40809c lstrcpynW
0x4080a0 lstrlenW
0x4080a4 SetErrorMode
0x4080a8 GetVersionExW
0x4080ac GetCommandLineW
0x4080b0 GetTempPathW
0x4080b4 GetWindowsDirectoryW
0x4080b8 WriteFile
0x4080bc CopyFileW
0x4080c0 ExitProcess
0x4080c4 GetCurrentProcess
0x4080c8 GetModuleFileNameW
0x4080cc GetFileSize
0x4080d0 GetTickCount
0x4080d4 Sleep
0x4080d8 SetFileAttributesW
0x4080dc GetFileAttributesW
0x4080e0 SetCurrentDirectoryW
0x4080e4 MoveFileW
0x4080e8 GetFullPathNameW
0x4080ec GetShortPathNameW
0x4080f0 SearchPathW
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc CloseHandle
0x408100 lstrcmpiW
0x408104 lstrcmpW
0x408108 ExpandEnvironmentStringsW
0x40810c GlobalFree
0x408110 GlobalAlloc
0x408114 GetModuleHandleW
0x408118 LoadLibraryExW
0x40811c FreeLibrary
0x408120 WritePrivateProfileStringW
0x408124 GetPrivateProfileStringW
0x408128 lstrlenA
0x40812c MultiByteToWideChar
0x408130 ReadFile
0x408134 SetFilePointer
0x408138 FindClose
0x40813c FindNextFileW
0x408140 FindFirstFileW
0x408144 DeleteFileW
0x408148 MulDiv
0x40814c lstrcpyA
0x408150 MoveFileExW
0x408154 lstrcatW
0x408158 GetSystemDirectoryW
0x40815c GetProcAddress
0x408160 GetModuleHandleA
0x408164 GetExitCodeProcess
0x408168 WaitForSingleObject
0x40816c SetEnvironmentVariableW

EAT(Export Address Table) is none

Report - loader-1001.exe

Signature (25cnts)

Rules (47cnts)

Network (14cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure