Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.07.02 07:54	Machine	s1_win7_x6403
Filename	buildcr.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	12.2
ZERO API	file : malware
VT API (file)	55 detected (AIDetectMalware, malicious, high confidence, score, Lockbit, Unsafe, Save, Attribute, HighConfidence, Kryptik, HXJY, Artemis, BootkitX, Strab, CLOUD, SMOKELOADER, YXEF2Z, Real Protect, moderate, Krypt, Detected, ai score=81, Malware@#3d11euvqed7s1, StealC, 19KREOO, Eldorado, ZexaF, Yq0@aiN8SzoG, BScope, Convagent, GdSda, Static AI, Malicious PE, susgen, Conwise, confidence, 100%)
md5	88932ab33c38072946abc06b426d33b8
sha256	d47e05b0ad27c651fb9cf73444e1f6a26514acb16998e92fca8be115ae6a2dee
ssdeep	12288:qIowhzaoWcGawk7yVe+H1JU7VuzpzS3oxAiXZcmQGLu5t15KBM0JiY3u3SZtr9XW:vhzL5MkmQ+H/2KFXVotzeM03aSpyr
imphash	9ab579f0940038199ed136d401eb2211
impfuzzy	24:Zrm6HlTCkRkrcDoi8dQB9/CzRyYXqaLkeJ3QcfdYjYyvOHuO2SBOluf/jMrSGmEo:zS48dHtyYrhQcfCpm2SBOsWvo

Network IP location

Signature (25cnts)

Level	Description
danger	File has been identified by 55 AntiVirus engines on VirusTotal as malicious
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Attempts to create or modify system certificates
watch	Installs itself for autorun at Windows startup
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch	Uses suspicious command line tools or Windows utilities
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process buildcr.exe
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	Foreign language identified in PE resource
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	Queries for the computername

Rules (28cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero_m	[m] Generic Malware	memory
warning	Suspicious_Obfuscation_Script_2	Suspicious obfuscation script (e.g. executable files)	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	schtasks_Zero	task schedule	memory
watch	UPX_Zero	UPX packed file	binaries (download)
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (10cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://defgyma.com/dl/build2.exe whois	EPM Telecomunicaciones S.A. E.S.P.	181.128.122.163	40622	malware
http://cajgtus.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true whois	TM Net, Internet Service Provider	219.92.154.145		mailcious
http://cajgtus.com/files/1/build3.exe whois	Uninet S.A. de C.V.	187.134.57.31	40623	malware
https://api.2ip.ua/geo.json whois	CLOUDFLARENET	104.21.65.24		clean
defgyma.com whois	Colombia Movil	181.204.98.226		malware
api.2ip.ua whois	CLOUDFLARENET	104.21.65.24		clean
cajgtus.com whois	JSC Silknet	178.134.214.182		malware
104.21.65.24 whois	CLOUDFLARENET	104.21.65.24		clean
186.233.231.45 whois	Solucao Network Provedor Ltda	186.233.231.45		clean
190.13.174.94 whois	Telefonica del Sur S.A.	190.13.174.94		clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x40b010 SetVolumeMountPointW
0x40b014 GetComputerNameW
0x40b018 SetCommBreak
0x40b01c SleepEx
0x40b020 GetCommProperties
0x40b024 GetModuleHandleW
0x40b028 GetTickCount
0x40b02c EnumCalendarInfoExW
0x40b030 GlobalAlloc
0x40b034 GetConsoleAliasExesLengthW
0x40b038 WriteConsoleOutputA
0x40b03c lstrcpynW
0x40b040 GetModuleFileNameW
0x40b044 GetConsoleAliasesW
0x40b048 CreateJobObjectW
0x40b04c GetProcAddress
0x40b050 LoadLibraryA
0x40b054 WriteConsoleA
0x40b058 UnhandledExceptionFilter
0x40b05c InterlockedExchangeAdd
0x40b060 LocalAlloc
0x40b064 AddAtomW
0x40b068 AddAtomA
0x40b06c FoldStringA
0x40b070 lstrcatW
0x40b074 GetConsoleTitleW
0x40b078 BuildCommDCBA
0x40b07c FindFirstVolumeW
0x40b080 AreFileApisANSI
0x40b084 ZombifyActCtx
0x40b088 GetLogicalDriveStringsW
0x40b08c GetLastError
0x40b090 OpenJobObjectA
0x40b094 CreateFileA
0x40b098 WriteConsoleW
0x40b09c MultiByteToWideChar
0x40b0a0 HeapAlloc
0x40b0a4 HeapReAlloc
0x40b0a8 GetStartupInfoW
0x40b0ac TerminateProcess
0x40b0b0 GetCurrentProcess
0x40b0b4 SetUnhandledExceptionFilter
0x40b0b8 IsDebuggerPresent
0x40b0bc GetCPInfo
0x40b0c0 InterlockedIncrement
0x40b0c4 InterlockedDecrement
0x40b0c8 GetACP
0x40b0cc GetOEMCP
0x40b0d0 IsValidCodePage
0x40b0d4 TlsGetValue
0x40b0d8 TlsAlloc
0x40b0dc TlsSetValue
0x40b0e0 TlsFree
0x40b0e4 SetLastError
0x40b0e8 GetCurrentThreadId
0x40b0ec DeleteCriticalSection
0x40b0f0 LeaveCriticalSection
0x40b0f4 EnterCriticalSection
0x40b0f8 HeapFree
0x40b0fc VirtualFree
0x40b100 VirtualAlloc
0x40b104 HeapCreate
0x40b108 Sleep
0x40b10c ExitProcess
0x40b110 WriteFile
0x40b114 GetStdHandle
0x40b118 GetModuleFileNameA
0x40b11c SetHandleCount
0x40b120 GetFileType
0x40b124 GetStartupInfoA
0x40b128 HeapSize
0x40b12c FreeEnvironmentStringsW
0x40b130 GetEnvironmentStringsW
0x40b134 GetCommandLineW
0x40b138 QueryPerformanceCounter
0x40b13c GetCurrentProcessId
0x40b140 GetSystemTimeAsFileTime
0x40b144 LCMapStringA
0x40b148 WideCharToMultiByte
0x40b14c LCMapStringW
0x40b150 GetStringTypeA
0x40b154 GetStringTypeW
0x40b158 GetLocaleInfoA
0x40b15c InitializeCriticalSectionAndSpinCount
0x40b160 RtlUnwind
0x40b164 ReadFile
0x40b168 GetConsoleCP
0x40b16c GetConsoleMode
0x40b170 FlushFileBuffers
0x40b174 SetFilePointer
0x40b178 SetStdHandle
0x40b17c CloseHandle
0x40b180 GetConsoleOutputCP
GDI32.dll
0x40b008 GetCharWidth32W
ADVAPI32.dll
0x40b000 EnumDependentServicesW
ole32.dll
0x40b190 CoTaskMemAlloc
WINHTTP.dll
0x40b188 WinHttpAddRequestHeaders

EAT(Export Address Table) is none

Report - buildcr.exe

Signature (25cnts)

Rules (28cnts)

Network (10cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure