Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.07.25 09:01	Machine	s1_win7_x6403
Filename	lobo.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	16.2
ZERO API	file : mailcious
VT API (file)
md5	848abdbd09c052799a0e0180b59f6fee
sha256	1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109
ssdeep	6144:/DiElZeVJ9/+pPQHe5wocklXck9UBd4MvQhdaAadaH8CaTnlmIa+w4Iqr6KGus24:/DiETMgqkKBJm5+fnHYftcv7vQG6zIs
imphash	89d186e701948ed4026afa52bc6342f0
impfuzzy	48:ZW0XOzMrlvqQcpV5CrMdtmG7pZO3gFZS70HNwjo:tXm2lSQcpV5oMdtmG7pZ9SkNw8

Network IP location

Signature (36cnts)

Level	Description
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Attempts to create or modify system certificates
watch	Checks the version of Bios
watch	Code injection by writing an executable or DLL to the memory of another process
watch	Communicates with host for which no DNS query was performed
watch	Detects Avast Antivirus through the presence of a library
watch	Harvests credentials from local email clients
watch	Installs itself for autorun at Windows startup
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	A process attempted to delay the analysis task.
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process explert.exe
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Drops an executable to the user AppData folder
notice	Executes one or more WMI queries
notice	Executes one or more WMI queries which can be used to identify virtual machines
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	One or more processes crashed
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Rules (26cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	anti_vm_detect	Possibly employs anti-virtualization techniques	binaries (download)
notice	ScreenShot	Take ScreenShot	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (13cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://185.196.10.57/selectex-file-host/acev.exe whois	Simple Carrier LLC	185.196.10.57		malware
http://185.216.214.218/Population.exe whois	Metaliance ISP Systems e.k	185.216.214.218	41325	mailcious
http://185.196.10.57/selectex-file-host/linkedin.exe whois	Simple Carrier LLC	185.196.10.57		clean
http://185.196.10.57/selectex-file-host/Tgnviazinc.exe whois	Simple Carrier LLC	185.196.10.57		clean
https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5C9F whois	CLOUDFLARENET	172.67.128.126		clean
https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5F91 whois	CLOUDFLARENET	172.67.128.126		clean
https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7 whois	CLOUDFLARENET	172.67.128.126		clean
https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5D whois	CLOUDFLARENET	172.67.128.126		clean
https://solutionhub.cc/socket/?id=08CA843D0A15D2560E8FA7EE94E71AC9B38318DF02721EA26194DF153A2BEEA0&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=1CC68878051DC553418AD7&tsk=5F90 whois	CLOUDFLARENET	172.67.128.126		clean
solutionhub.cc whois	CLOUDFLARENET	172.67.128.126		malware
185.196.10.57 whois	Simple Carrier LLC	185.196.10.57		malware
185.216.214.218 whois	Metaliance ISP Systems e.k	185.216.214.218		mailcious
172.67.128.126 whois	CLOUDFLARENET	172.67.128.126		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x43e018 ReadProcessMemory
0x43e01c WriteProcessMemory
0x43e020 GetModuleHandleA
0x43e024 GetProcAddress
0x43e028 GetEnvironmentVariableA
0x43e02c CreateDirectoryA
0x43e030 WaitForSingleObject
0x43e034 CreateMutexA
0x43e038 Sleep
0x43e03c GetModuleFileNameA
0x43e040 VirtualProtectEx
0x43e044 CreateProcessW
0x43e048 GetVersion
0x43e04c GetComputerNameA
0x43e050 WriteConsoleW
0x43e054 HeapSize
0x43e058 CreateFileW
0x43e05c GetProcessHeap
0x43e060 SetStdHandle
0x43e064 VirtualAllocEx
0x43e068 VirtualAlloc
0x43e06c SetThreadContext
0x43e070 GetThreadContext
0x43e074 CreateProcessA
0x43e078 ResumeThread
0x43e07c K32GetModuleFileNameExA
0x43e080 GetLastError
0x43e084 K32EnumProcesses
0x43e088 OpenProcess
0x43e08c TerminateProcess
0x43e090 GetCurrentProcessId
0x43e094 CopyFileA
0x43e098 CloseHandle
0x43e09c SetEnvironmentVariableW
0x43e0a0 FreeEnvironmentStringsW
0x43e0a4 GetEnvironmentStringsW
0x43e0a8 GetOEMCP
0x43e0ac GetACP
0x43e0b0 IsValidCodePage
0x43e0b4 FindNextFileW
0x43e0b8 FindFirstFileExW
0x43e0bc FindClose
0x43e0c0 HeapReAlloc
0x43e0c4 ReadConsoleW
0x43e0c8 SetFilePointerEx
0x43e0cc GetFileSizeEx
0x43e0d0 ReadFile
0x43e0d4 GetConsoleMode
0x43e0d8 GetConsoleOutputCP
0x43e0dc FlushFileBuffers
0x43e0e0 GetFileType
0x43e0e4 GetCurrentThreadId
0x43e0e8 WideCharToMultiByte
0x43e0ec EnterCriticalSection
0x43e0f0 LeaveCriticalSection
0x43e0f4 InitializeCriticalSectionEx
0x43e0f8 DeleteCriticalSection
0x43e0fc EncodePointer
0x43e100 DecodePointer
0x43e104 MultiByteToWideChar
0x43e108 LCMapStringEx
0x43e10c CompareStringEx
0x43e110 GetCPInfo
0x43e114 QueryPerformanceCounter
0x43e118 GetSystemTimeAsFileTime
0x43e11c GetModuleHandleW
0x43e120 GetStringTypeW
0x43e124 IsProcessorFeaturePresent
0x43e128 InitializeSListHead
0x43e12c IsDebuggerPresent
0x43e130 UnhandledExceptionFilter
0x43e134 SetUnhandledExceptionFilter
0x43e138 GetStartupInfoW
0x43e13c GetCurrentProcess
0x43e140 RaiseException
0x43e144 RtlUnwind
0x43e148 SetLastError
0x43e14c InitializeCriticalSectionAndSpinCount
0x43e150 TlsAlloc
0x43e154 TlsGetValue
0x43e158 TlsSetValue
0x43e15c TlsFree
0x43e160 FreeLibrary
0x43e164 LoadLibraryExW
0x43e168 ExitProcess
0x43e16c GetModuleHandleExW
0x43e170 CreateThread
0x43e174 ExitThread
0x43e178 FreeLibraryAndExitThread
0x43e17c GetStdHandle
0x43e180 WriteFile
0x43e184 GetModuleFileNameW
0x43e188 GetCommandLineA
0x43e18c GetCommandLineW
0x43e190 HeapFree
0x43e194 HeapAlloc
0x43e198 CompareStringW
0x43e19c LCMapStringW
0x43e1a0 GetLocaleInfoW
0x43e1a4 IsValidLocale
0x43e1a8 GetUserDefaultLCID
0x43e1ac EnumSystemLocalesW
0x43e1b0 SetEndOfFile
ADVAPI32.dll
0x43e000 RegSetValueExA
0x43e004 RegQueryValueExA
0x43e008 RegOpenKeyExA
0x43e00c RegCloseKey
0x43e010 GetUserNameA
SHELL32.dll
0x43e1cc ShellExecuteA
ole32.dll
0x43e1e8 CoInitializeEx
0x43e1ec CoInitializeSecurity
0x43e1f0 CoSetProxyBlanket
0x43e1f4 CoCreateInstance
0x43e1f8 CoUninitialize
OLEAUT32.dll
0x43e1b8 SysAllocString
0x43e1bc SysFreeString
0x43e1c0 VariantInit
0x43e1c4 VariantClear
WININET.dll
0x43e1d4 InternetReadFile
0x43e1d8 InternetOpenW
0x43e1dc InternetOpenUrlA
0x43e1e0 InternetCloseHandle

EAT(Export Address Table) is none

Report - lobo.exe

Signature (36cnts)

Rules (26cnts)

Network (13cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure