Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.06.27 17:12	Machine	s1_win7_x6401
Filename	build2.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	4	Behavior Score	15.8
ZERO API	file : malware
VT API (file)	59 detected (AIDetectMalware, Tepfer, malicious, high confidence, score, Lockbit, GenericKD, Unsafe, Save, Kryptik, HXFH, Artemis, RansomX, Fareit, None, Generic@AI, RDML, M1YwbxGM05L411jvS8iJwg, MalwareCrypter, tcyfx, DownLoader46, VIDAR, YXEE4Z, Real Protect, high, Krypt, Detected, Androm, PSWTroj, Stealc, Smokeloader, R650823, ZexaF, uq0@aiZA9WgG, GdSda, Gencirc, ai score=84, susgen, HBBY, confidence, 100%)
md5	335a64e110185d35bcfbc3ef86a382e9
sha256	8286d000d4045fe41788db22d353553ced31258eeaa0d52825e317f94d23dd9a
ssdeep	3072:V1dPzcpmx6U25NN9k9oqYRZn2uEm5nZTkvfXC5WhpNumh:V7Pz3xcNU9oquZ2uEmfTkXXNFumh
imphash	b3f7368a77856522320ff0e8d452c570
impfuzzy	24:rdbPaDeTMUkC1bkrIJcDAjgE4paOovEG/LiJEnchQFBRyv9kRT4BMjMVl77:rRaZsX4pdVG/mEchl9gcB5B

Network IP location

Signature (34cnts)

Level	Description
danger	File has been identified by 59 AntiVirus engines on VirusTotal as malicious
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Checks the CPU name from registry
watch	Collects information about installed applications
watch	Communicates with host for which no DNS query was performed
watch	Deletes executed files from disk
watch	Harvests credentials from local FTP client softwares
watch	Network activity contains more than one unique useragent
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Creates a suspicious process
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	Executes one or more WMI queries
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Queries for potentially installed applications
notice	Searches running processes potentially to identify processes for sandbox evasion
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	Command line console output was observed
info	Queries for the computername
info	Tries to locate where the browsers are installed

Rules (29cnts)

Level	Name	Description	Collection
danger	Client_SW_User_Data_Stealer	Client_SW_User_Data_Stealer	memory
danger	Win32_PWS_Loki_m_Zero	Win32 PWS Loki	memory
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
warning	infoStealer_ftpClients_Zero	ftp clients info stealer	memory
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (6cnts) ?

Request	ASN Co	IP4	ZERO ?
https://steamcommunity.com/profiles/76561199695752269 whois	Akamai International B.V.	184.26.241.154	clean
t.me whois	Telegram Messenger Inc	149.154.167.99	mailcious
steamcommunity.com whois	AKAMAI-AS	23.59.200.146	mailcious
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99	mailcious
184.26.241.154 whois	Akamai International B.V.	184.26.241.154	mailcious
65.21.109.161 whois		65.21.109.161	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x40d000 GlobalDeleteAtom
0x40d004 TryEnterCriticalSection
0x40d008 GetNumaProcessorNode
0x40d00c InterlockedDecrement
0x40d010 GetComputerNameW
0x40d014 GetTimeFormatA
0x40d018 GetModuleHandleW
0x40d01c EnumTimeFormatsA
0x40d020 ActivateActCtx
0x40d024 ReadFileScatter
0x40d028 WriteConsoleOutputA
0x40d02c InterlockedPopEntrySList
0x40d030 GetFileAttributesA
0x40d034 SetConsoleMode
0x40d038 GetConsoleAliasW
0x40d03c GetModuleFileNameW
0x40d040 SetConsoleTitleA
0x40d044 GetConsoleAliasesW
0x40d048 SetLastError
0x40d04c GetProcAddress
0x40d050 GetProcessHeaps
0x40d054 LocalLock
0x40d058 LoadLibraryA
0x40d05c UnhandledExceptionFilter
0x40d060 FreeEnvironmentStringsW
0x40d064 BuildCommDCBA
0x40d068 CompareStringA
0x40d06c GetShortPathNameW
0x40d070 GetFileInformationByHandle
0x40d074 LocalFileTimeToFileTime
0x40d078 MultiByteToWideChar
0x40d07c GetCommandLineA
0x40d080 GetStartupInfoA
0x40d084 RaiseException
0x40d088 RtlUnwind
0x40d08c TerminateProcess
0x40d090 GetCurrentProcess
0x40d094 SetUnhandledExceptionFilter
0x40d098 IsDebuggerPresent
0x40d09c GetCPInfo
0x40d0a0 InterlockedIncrement
0x40d0a4 GetACP
0x40d0a8 GetOEMCP
0x40d0ac IsValidCodePage
0x40d0b0 TlsGetValue
0x40d0b4 TlsAlloc
0x40d0b8 TlsSetValue
0x40d0bc TlsFree
0x40d0c0 GetCurrentThreadId
0x40d0c4 GetLastError
0x40d0c8 HeapAlloc
0x40d0cc HeapFree
0x40d0d0 EnterCriticalSection
0x40d0d4 LeaveCriticalSection
0x40d0d8 Sleep
0x40d0dc ExitProcess
0x40d0e0 WriteFile
0x40d0e4 GetStdHandle
0x40d0e8 GetModuleFileNameA
0x40d0ec FreeEnvironmentStringsA
0x40d0f0 GetEnvironmentStrings
0x40d0f4 WideCharToMultiByte
0x40d0f8 GetEnvironmentStringsW
0x40d0fc SetHandleCount
0x40d100 GetFileType
0x40d104 DeleteCriticalSection
0x40d108 HeapCreate
0x40d10c VirtualFree
0x40d110 QueryPerformanceCounter
0x40d114 GetTickCount
0x40d118 GetCurrentProcessId
0x40d11c GetSystemTimeAsFileTime
0x40d120 LCMapStringA
0x40d124 LCMapStringW
0x40d128 GetStringTypeA
0x40d12c GetStringTypeW
0x40d130 GetLocaleInfoA
0x40d134 SetFilePointer
0x40d138 GetConsoleCP
0x40d13c GetConsoleMode
0x40d140 VirtualAlloc
0x40d144 HeapReAlloc
0x40d148 HeapSize
0x40d14c InitializeCriticalSectionAndSpinCount
0x40d150 SetStdHandle
0x40d154 WriteConsoleA
0x40d158 GetConsoleOutputCP
0x40d15c WriteConsoleW
0x40d160 FlushFileBuffers
0x40d164 CreateFileA
0x40d168 CloseHandle

EAT(Export Address Table) is none

Report - build2.exe

Signature (34cnts)

Rules (29cnts)

Network (6cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure