Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.08.09 09:27	Machine	s1_win7_x6401
Filename	file234.exe
Type	PE32+ executable (console) x86-64, for MS Windows
AI Score	1	Behavior Score	12.0
ZERO API	file : mailcious
VT API (file)	49 detected (AIDetectMalware, Injuke, Artemis, Unsafe, Remcos, Vlar, PSWStealer, Attribute, HighConfidence, malicious, high confidence, GenKryptik, GZZF, MalwareX, oevc, CLASSIC, ssycy, Inject5, OPERALOADER, YXEHCZ, Detected, ai score=80, Kryptik, Stealerc, R659729, GdSda, Gencirc, MAGC, GOP9)
md5	def6f274c14351d9cf0f49798b5a833d
sha256	755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505
ssdeep	49152:xWiP0wV0hJ5VGx6ODJ1+DEtWX33oG1Sdfol:FVUckab9G
imphash	18cd531cc44c9bf7f4a78c62c15c1c41
impfuzzy	96:C6KC7Xg3BueJcxL/eQUKU5ja9VmHTXrR9X1MqPIXeQky0uGdL2Ey0F:CF0Q3BmVST7R9FMoIuDaxEy0F

Network IP location

Signature (26cnts)

Level	Description
danger	File has been identified by 49 AntiVirus engines on VirusTotal as malicious
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Drops a binary and executes it
watch	Installs itself for autorun at Windows startup
watch	Looks for the Windows Idle Time to determine the uptime
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process caspol.exe
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Potentially malicious URLs were found in the process memory dump
notice	Resolves a suspicious Top Level Domain (TLD)
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path

Rules (19cnts)

Level	Name	Description	Collection
watch	Antivirus	Contains references to security software	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	IsPE64	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (22cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://194.58.114.223/d/385121 whois	Domain names registrar REG.RU, Ltd	194.58.114.223		clean
http://ironmanrecycling.com/get/setup1.exe whois	OOO FREEnet Group	147.45.60.44		malware
https://pastebin.com/raw/xYhKBupz whois	CLOUDFLARENET	104.20.3.235	36780	mailcious
https://yip.su/RNWPd.exe whois	CLOUDFLARENET	104.21.79.77	37623	malware
https://iplogger.com/1uNwK4 whois	CLOUDFLARENET	104.21.76.57		clean
https://cdn.discordapp.com/attachments/1271038807315185718/1271141520195715093/setup.exe?ex=66b6424b&is=66b4f0cb&hm=de560db8ff6dd3fa9ac31172f1bd3d348b35190c8d570ea98c882ca3b5c00fdd& whois		162.159.133.233		clean
https://github.com/evan9908/Setup/raw/main/Filemy.exe whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		clean
yip.su whois	CLOUDFLARENET	104.21.79.77		mailcious
github.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		mailcious
pastebin.com whois	CLOUDFLARENET	172.67.19.24		mailcious
iplogger.com whois	CLOUDFLARENET	172.67.188.178		mailcious
cdn.discordapp.com whois		162.159.135.233		malware
raw.githubusercontent.com whois	FASTLY	185.199.110.133		malware
ironmanrecycling.com whois	OOO FREEnet Group	147.45.60.44		malware
104.20.3.235 whois	CLOUDFLARENET	104.20.3.235		malware
147.45.60.44 whois	OOO FREEnet Group	147.45.60.44		malware
162.159.133.233 whois		162.159.133.233		malware
185.199.111.133 whois	FASTLY	185.199.111.133		mailcious
104.21.76.57 whois	CLOUDFLARENET	104.21.76.57		clean
104.21.79.77 whois	CLOUDFLARENET	104.21.79.77		phishing
194.58.114.223 whois	Domain names registrar REG.RU, Ltd	194.58.114.223		mailcious
20.200.245.247 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		malware

Suricata ids

PE API

IAT(Import Address Table) Library

ADVAPI32.dll
0x140194000 RegCloseKey
0x140194008 RegEnumValueW
0x140194010 RegOpenKeyExW
0x140194018 RegQueryValueExW
0x140194020 RegCreateKeyExW
0x140194028 RegDeleteKeyExW
0x140194030 RegDeleteValueW
0x140194038 RegEnumKeyExW
0x140194040 RegFlushKey
0x140194048 RegQueryInfoKeyW
0x140194050 RegSetValueExW
0x140194058 CreateWellKnownSid
0x140194060 GetWindowsAccountDomainSid
0x140194068 LookupPrivilegeValueW
0x140194070 RevertToSelf
0x140194078 OpenThreadToken
0x140194080 OpenProcessToken
0x140194088 SetThreadToken
0x140194090 AdjustTokenPrivileges
0x140194098 DuplicateTokenEx
0x1401940a0 GetSecurityDescriptorLength
0x1401940a8 EventWrite
0x1401940b0 EventRegister
0x1401940b8 EventEnabled
crypt.dll
0x1401946a0 BCryptGenerateSymmetricKey
0x1401946a8 BCryptOpenAlgorithmProvider
0x1401946b0 BCryptDestroyKey
0x1401946b8 BCryptGenRandom
0x1401946c0 BCryptCloseAlgorithmProvider
KERNEL32.dll
0x1401940c8 TlsFree
0x1401940d0 TlsSetValue
0x1401940d8 TlsGetValue
0x1401940e0 TlsAlloc
0x1401940e8 InitializeCriticalSectionAndSpinCount
0x1401940f0 EncodePointer
0x1401940f8 CloseThreadpoolIo
0x140194100 GetStdHandle
0x140194108 FileTimeToSystemTime
0x140194110 SystemTimeToFileTime
0x140194118 GetSystemTime
0x140194120 GetCalendarInfoEx
0x140194128 CompareStringOrdinal
0x140194130 CompareStringEx
0x140194138 FindNLSStringEx
0x140194140 GetLocaleInfoEx
0x140194148 ResolveLocaleName
0x140194150 FindStringOrdinal
0x140194158 GetTickCount64
0x140194160 GetCurrentProcess
0x140194168 GetCurrentThread
0x140194170 Sleep
0x140194178 InitializeCriticalSection
0x140194180 InitializeConditionVariable
0x140194188 DeleteCriticalSection
0x140194190 LocalFree
0x140194198 EnterCriticalSection
0x1401941a0 SleepConditionVariableCS
0x1401941a8 LeaveCriticalSection
0x1401941b0 WakeConditionVariable
0x1401941b8 QueryPerformanceCounter
0x1401941c0 WaitForMultipleObjectsEx
0x1401941c8 GetLastError
0x1401941d0 QueryPerformanceFrequency
0x1401941d8 SetLastError
0x1401941e0 GetFullPathNameW
0x1401941e8 GetLongPathNameW
0x1401941f0 MultiByteToWideChar
0x1401941f8 WideCharToMultiByte
0x140194200 LocalAlloc
0x140194208 GetConsoleOutputCP
0x140194210 GetProcAddress
0x140194218 RaiseFailFastException
0x140194220 CreateThreadpoolIo
0x140194228 StartThreadpoolIo
0x140194230 CancelThreadpoolIo
0x140194238 LocaleNameToLCID
0x140194240 LCMapStringEx
0x140194248 EnumTimeFormatsEx
0x140194250 EnumCalendarInfoExEx
0x140194258 CopyFileExW
0x140194260 CreateFileW
0x140194268 DeleteFileW
0x140194270 DeviceIoControl
0x140194278 ExpandEnvironmentStringsW
0x140194280 FindClose
0x140194288 FindFirstFileExW
0x140194290 FlushFileBuffers
0x140194298 FreeLibrary
0x1401942a0 GetFileAttributesExW
0x1401942a8 GetFileInformationByHandleEx
0x1401942b0 GetFileType
0x1401942b8 GetModuleFileNameW
0x1401942c0 GetOverlappedResult
0x1401942c8 LoadLibraryExW
0x1401942d0 ReadFile
0x1401942d8 SetFileInformationByHandle
0x1401942e0 SetThreadErrorMode
0x1401942e8 WriteFile
0x1401942f0 GetCurrentProcessorNumberEx
0x1401942f8 CloseHandle
0x140194300 SetEvent
0x140194308 ResetEvent
0x140194310 CreateEventExW
0x140194318 GetEnvironmentVariableW
0x140194320 FormatMessageW
0x140194328 DuplicateHandle
0x140194330 GetThreadPriority
0x140194338 SetThreadPriority
0x140194340 CreateProcessA
0x140194348 GetConsoleWindow
0x140194350 GetModuleHandleA
0x140194358 FreeConsole
0x140194360 AllocConsole
0x140194368 GetThreadContext
0x140194370 ExitProcess
0x140194378 FlushProcessWriteBuffers
0x140194380 GetCurrentThreadId
0x140194388 WaitForSingleObjectEx
0x140194390 VirtualQuery
0x140194398 RtlRestoreContext
0x1401943a0 AddVectoredExceptionHandler
0x1401943a8 FlsAlloc
0x1401943b0 FlsGetValue
0x1401943b8 FlsSetValue
0x1401943c0 CreateEventW
0x1401943c8 TerminateProcess
0x1401943d0 SwitchToThread
0x1401943d8 CreateThread
0x1401943e0 SuspendThread
0x1401943e8 ResumeThread
0x1401943f0 SetThreadContext
0x1401943f8 FlushInstructionCache
0x140194400 VirtualAlloc
0x140194408 VirtualProtect
0x140194410 VirtualFree
0x140194418 QueryInformationJobObject
0x140194420 GetModuleHandleW
0x140194428 GetModuleHandleExW
0x140194430 GetProcessAffinityMask
0x140194438 InitializeContext
0x140194440 GetEnabledXStateFeatures
0x140194448 SetXStateFeaturesMask
0x140194450 InitializeCriticalSectionEx
0x140194458 GetSystemTimeAsFileTime
0x140194460 DebugBreak
0x140194468 WaitForSingleObject
0x140194470 SleepEx
0x140194478 GlobalMemoryStatusEx
0x140194480 GetSystemInfo
0x140194488 GetLogicalProcessorInformation
0x140194490 GetLogicalProcessorInformationEx
0x140194498 GetLargePageMinimum
0x1401944a0 VirtualUnlock
0x1401944a8 VirtualAllocExNuma
0x1401944b0 IsProcessInJob
0x1401944b8 GetNumaHighestNodeNumber
0x1401944c0 GetProcessGroupAffinity
0x1401944c8 K32GetProcessMemoryInfo
0x1401944d0 RaiseException
0x1401944d8 RtlPcToFileHeader
0x1401944e0 RtlUnwindEx
0x1401944e8 IsProcessorFeaturePresent
0x1401944f0 SetUnhandledExceptionFilter
0x1401944f8 UnhandledExceptionFilter
0x140194500 IsDebuggerPresent
0x140194508 RtlVirtualUnwind
0x140194510 RtlLookupFunctionEntry
0x140194518 RtlCaptureContext
0x140194520 InitializeSListHead
0x140194528 GetCurrentProcessId
ole32.dll
0x1401946d0 CoCreateGuid
0x1401946d8 CoGetApartmentType
0x1401946e0 CoTaskMemFree
0x1401946e8 CoUninitialize
0x1401946f0 CoInitializeEx
0x1401946f8 CoWaitForMultipleHandles
0x140194700 CoTaskMemAlloc
api-ms-win-crt-math-l1-1-0.dll
0x140194578 ceil
0x140194580 __setusermatherr
api-ms-win-crt-heap-l1-1-0.dll
0x140194538 free
0x140194540 _callnewh
0x140194548 _set_new_mode
0x140194550 calloc
0x140194558 malloc
api-ms-win-crt-string-l1-1-0.dll
0x140194668 _wcsicmp
0x140194670 _stricmp
0x140194678 strcpy_s
0x140194680 strcmp
0x140194688 wcsncmp
0x140194690 strncpy_s
api-ms-win-crt-runtime-l1-1-0.dll
0x140194590 _exit
0x140194598 __p___argc
0x1401945a0 _initterm_e
0x1401945a8 terminate
0x1401945b0 _crt_atexit
0x1401945b8 _register_onexit_function
0x1401945c0 _initialize_onexit_table
0x1401945c8 exit
0x1401945d0 _initterm
0x1401945d8 abort
0x1401945e0 _get_initial_wide_environment
0x1401945e8 __p___wargv
0x1401945f0 _register_thread_local_exe_atexit_callback
0x1401945f8 _c_exit
0x140194600 _cexit
0x140194608 _seh_filter_exe
0x140194610 _set_app_type
0x140194618 _initialize_wide_environment
0x140194620 _configure_wide_argv
api-ms-win-crt-stdio-l1-1-0.dll
0x140194630 __stdio_common_vsscanf
0x140194638 __acrt_iob_func
0x140194640 __stdio_common_vfprintf
0x140194648 __p__commode
0x140194650 _set_fmode
0x140194658 __stdio_common_vsprintf_s
api-ms-win-crt-locale-l1-1-0.dll
0x140194568 _configthreadlocale

EAT(Export Address Table) Library

0x140256310 DotNetRuntimeDebugHeader

Report - file234.exe

Signature (26cnts)

Rules (19cnts)

Network (22cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure