Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.08.17 22:21	Machine	s1_win7_x6401
Filename	stub.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	6	Behavior Score	10.4
ZERO API	file : malware
VT API (file)	34 detected (AIDetectMalware, malicious, high confidence, score, Jaik, Unsafe, Save, Attribute, HighConfidence, AGPC, MalwareX, Tasker, Real Protect, Static AI, Malicious PE, ai score=87, Sabsik, BScope, Wacatac, Zharkbot, susgen, confidence)
md5	f48972736d07992d0cfd2b8bc7972e27
sha256	56d97e9f42ee5b7efdbfcd7d56da50e752fb08599f3422ee0cc9b697a92e56da
ssdeep	6144:eyrVs12rjxDPCle3vOYL5q1e0eBEpw2ePRflnm3QBbLVKnzf16Ja2PBipAxWn7jT:eyrVsmjxDPCXfEJaUBipAxKbxLOKP2m
imphash	86066554454deea625edb22af31c51bd
impfuzzy	48:ZWrXOzMrlccpV5Cr3XjtNG7pZ+3gFZGhv3Nwih:aXm2lccpV5o3XjtNG7pZtwNw8

Network IP location

Signature (25cnts)

Level	Description
danger	File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch	A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations.
watch	Checks the version of Bios
watch	Communicates with host for which no DNS query was performed
watch	Detects Avast Antivirus through the presence of a library
watch	Harvests credentials from local email clients
notice	A process attempted to delay the analysis task.
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	An executable file was downloaded by the process stub.exe
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	Drops a binary and executes it
notice	Executes one or more WMI queries
notice	Executes one or more WMI queries which can be used to identify virtual machines
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Resolves a suspicious Top Level Domain (TLD)
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Collects information to fingerprint the system (MachineGuid
info	One or more processes crashed
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Rules (14cnts)

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (11cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://185.216.214.225/freedom.exe whois	Metaliance ISP Systems e.k	185.216.214.225		clean
http://185.216.214.225/Jhiidutz.exe whois	Metaliance ISP Systems e.k	185.216.214.225		clean
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62 whois	CLOUDFLARENET	172.67.202.34		clean
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADF whois	CLOUDFLARENET	172.67.202.34		clean
https://solutionhub.cc/socket/?serviceCheckup whois	CLOUDFLARENET	172.67.128.126	41399	mailcious
https://garageserviceoperation.com/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3BCD138B5AFFC62&tsk=5F9ADE whois	CLOUDFLARENET	172.67.202.34		clean
garageserviceoperation.com whois	CLOUDFLARENET	172.67.202.34		clean
solutionhub.cc whois	CLOUDFLARENET	172.67.128.126		malware
185.216.214.225 whois	Metaliance ISP Systems e.k	185.216.214.225		malware
172.67.202.34 whois	CLOUDFLARENET	172.67.202.34		clean
172.67.128.126 whois	CLOUDFLARENET	172.67.128.126		mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x43f014 ReadProcessMemory
0x43f018 WriteProcessMemory
0x43f01c GetModuleHandleA
0x43f020 GetProcAddress
0x43f024 Sleep
0x43f028 VirtualProtectEx
0x43f02c GetVersion
0x43f030 GetComputerNameA
0x43f034 WriteConsoleW
0x43f038 HeapSize
0x43f03c CreateFileW
0x43f040 GetProcessHeap
0x43f044 SetStdHandle
0x43f048 VirtualAllocEx
0x43f04c VirtualAlloc
0x43f050 SetThreadContext
0x43f054 GetThreadContext
0x43f058 CreateProcessA
0x43f05c ResumeThread
0x43f060 K32GetModuleFileNameExA
0x43f064 GetLastError
0x43f068 K32EnumProcesses
0x43f06c OpenProcess
0x43f070 TerminateProcess
0x43f074 GetCurrentProcessId
0x43f078 CreateProcessW
0x43f07c CloseHandle
0x43f080 SetEnvironmentVariableW
0x43f084 FreeEnvironmentStringsW
0x43f088 GetEnvironmentStringsW
0x43f08c GetOEMCP
0x43f090 GetACP
0x43f094 IsValidCodePage
0x43f098 FindNextFileW
0x43f09c FindFirstFileExW
0x43f0a0 FindClose
0x43f0a4 HeapReAlloc
0x43f0a8 ReadConsoleW
0x43f0ac SetFilePointerEx
0x43f0b0 GetFileSizeEx
0x43f0b4 ReadFile
0x43f0b8 GetConsoleMode
0x43f0bc GetConsoleOutputCP
0x43f0c0 WideCharToMultiByte
0x43f0c4 EnterCriticalSection
0x43f0c8 LeaveCriticalSection
0x43f0cc InitializeCriticalSectionEx
0x43f0d0 DeleteCriticalSection
0x43f0d4 EncodePointer
0x43f0d8 DecodePointer
0x43f0dc MultiByteToWideChar
0x43f0e0 LCMapStringEx
0x43f0e4 CompareStringEx
0x43f0e8 GetCPInfo
0x43f0ec GetStringTypeW
0x43f0f0 IsProcessorFeaturePresent
0x43f0f4 QueryPerformanceCounter
0x43f0f8 GetCurrentThreadId
0x43f0fc GetSystemTimeAsFileTime
0x43f100 InitializeSListHead
0x43f104 IsDebuggerPresent
0x43f108 UnhandledExceptionFilter
0x43f10c SetUnhandledExceptionFilter
0x43f110 GetStartupInfoW
0x43f114 GetModuleHandleW
0x43f118 GetCurrentProcess
0x43f11c RaiseException
0x43f120 RtlUnwind
0x43f124 SetLastError
0x43f128 InitializeCriticalSectionAndSpinCount
0x43f12c TlsAlloc
0x43f130 TlsGetValue
0x43f134 TlsSetValue
0x43f138 TlsFree
0x43f13c FreeLibrary
0x43f140 LoadLibraryExW
0x43f144 ExitProcess
0x43f148 GetModuleHandleExW
0x43f14c GetStdHandle
0x43f150 WriteFile
0x43f154 GetModuleFileNameW
0x43f158 GetCommandLineA
0x43f15c GetCommandLineW
0x43f160 HeapFree
0x43f164 HeapAlloc
0x43f168 CompareStringW
0x43f16c LCMapStringW
0x43f170 GetLocaleInfoW
0x43f174 IsValidLocale
0x43f178 GetUserDefaultLCID
0x43f17c EnumSystemLocalesW
0x43f180 GetFileType
0x43f184 FlushFileBuffers
0x43f188 SetEndOfFile
ADVAPI32.dll
0x43f000 RegQueryValueExA
0x43f004 RegOpenKeyExA
0x43f008 RegCloseKey
0x43f00c GetUserNameA
ole32.dll
0x43f1b8 CoInitializeEx
0x43f1bc CoInitializeSecurity
0x43f1c0 CoCreateInstance
0x43f1c4 CoSetProxyBlanket
0x43f1c8 CoUninitialize
OLEAUT32.dll
0x43f190 SysAllocString
0x43f194 SysFreeString
0x43f198 VariantInit
0x43f19c VariantClear
WININET.dll
0x43f1a4 InternetOpenUrlA
0x43f1a8 InternetOpenW
0x43f1ac InternetReadFile
0x43f1b0 InternetCloseHandle

EAT(Export Address Table) is none

Report - stub.exe

Signature (25cnts)

Rules (14cnts)

Network (11cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure