Report - ZeroBOX

ScreenShot

Info
Location map


Created	2025.02.10 16:16	Machine	s1_win7_x6402
Filename	eduroam-ua.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	Not founds	Behavior Score	5.2
ZERO API	file : clean
VT API (file)	3 detected (, Malicious, Trojan.Autoit.F)
md5	f86c99412cf7e6c5c1ec4f68dfc30c99
sha256	8051f2a732fb1b30d445b31ddaf1f1421988658f621c8729fb87b7e8700274d0
ssdeep	24576:KkWAAuqePydPm/aMzhkxQ4xsy2lWxNlBfwCf92:Khpm/TzOfxoqBfPf92
imphash	dbb1eb5c3476069287a73206929932fd
impfuzzy	48:dROaOGpw+vceo7nhzN54lzvSv6pfn56UyLlotn6gxSY4jS+EQhXUXCAk+09ok/Kc:dRZzwA87nKCy07dCaqUt5PuKTfD

Network IP location

Signature (9cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
watch	Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic)
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Potentially malicious URLs were found in the process memory dump
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory

Rules (36cnts)

Level	Name	Description	Collection
watch	Network_Downloader	File Downloader	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	Hijack_Network	Hijack network configuration	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	Persistence	Install itself for autorun at Windows startup	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	JPEG_Format_Zero	JPEG Format	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (download)
info	PNG_Format_Zero	PNG Format	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	win_hook	Affect hook table	memory

Network (3cnts) ?

Request	ASN Co	IP4	ZERO ?
si.ua.es whois	Entidad Publica Empresarial Red.es	193.145.235.30	clean
193.145.235.30 whois	Entidad Publica Empresarial Red.es	193.145.235.30	clean
152.199.39.108 whois	EDGECAST	152.199.39.108	mailcious

Suricata ids

PE API

IAT(Import Address Table) Library

COMCTL32.dll
0x41302c InitCommonControlsEx
0x413030 None
SHLWAPI.dll
0x4131bc SHAutoComplete
KERNEL32.dll
0x41306c DeleteFileW
0x413070 DeleteFileA
0x413074 CreateDirectoryA
0x413078 CreateDirectoryW
0x41307c FindClose
0x413080 FindNextFileA
0x413084 FindFirstFileA
0x413088 FindNextFileW
0x41308c FindFirstFileW
0x413090 GetTickCount
0x413094 WideCharToMultiByte
0x413098 GlobalAlloc
0x41309c GetVersionExW
0x4130a0 GetFullPathNameA
0x4130a4 GetFullPathNameW
0x4130a8 GetModuleFileNameW
0x4130ac FindResourceW
0x4130b0 GetModuleHandleW
0x4130b4 HeapAlloc
0x4130b8 GetProcessHeap
0x4130bc HeapFree
0x4130c0 HeapReAlloc
0x4130c4 CompareStringA
0x4130c8 ExitProcess
0x4130cc GetLocaleInfoW
0x4130d0 GetNumberFormatW
0x4130d4 SetFileAttributesW
0x4130d8 GetDateFormatW
0x4130dc GetTimeFormatW
0x4130e0 FileTimeToSystemTime
0x4130e4 FileTimeToLocalFileTime
0x4130e8 ExpandEnvironmentStringsW
0x4130ec WaitForSingleObject
0x4130f0 Sleep
0x4130f4 GetTempPathW
0x4130f8 MoveFileExW
0x4130fc UnmapViewOfFile
0x413100 GetCommandLineW
0x413104 MapViewOfFile
0x413108 CreateFileMappingW
0x41310c OpenFileMappingW
0x413110 SetEnvironmentVariableW
0x413114 GetProcAddress
0x413118 LocalFileTimeToFileTime
0x41311c SystemTimeToFileTime
0x413120 GetSystemTime
0x413124 MultiByteToWideChar
0x413128 CompareStringW
0x41312c IsDBCSLeadByte
0x413130 GetCPInfo
0x413134 SetCurrentDirectoryW
0x413138 LoadLibraryW
0x41313c FreeLibrary
0x413140 SetFileAttributesA
0x413144 GetFileAttributesW
0x413148 GetFileAttributesA
0x41314c WriteFile
0x413150 GetStdHandle
0x413154 ReadFile
0x413158 GetCurrentDirectoryW
0x41315c CreateFileW
0x413160 CreateFileA
0x413164 GetFileType
0x413168 SetEndOfFile
0x41316c SetFilePointer
0x413170 MoveFileW
0x413174 SetFileTime
0x413178 GetCurrentProcess
0x41317c CloseHandle
0x413180 SetLastError
0x413184 GetLastError
0x413188 DosDateTimeToFileTime
USER32.dll
0x4131c4 wvsprintfW
0x4131c8 ReleaseDC
0x4131cc GetDC
0x4131d0 SendMessageW
0x4131d4 SetDlgItemTextW
0x4131d8 SetFocus
0x4131dc EndDialog
0x4131e0 DestroyIcon
0x4131e4 SendDlgItemMessageW
0x4131e8 GetDlgItemTextW
0x4131ec GetClassNameW
0x4131f0 DialogBoxParamW
0x4131f4 IsWindowVisible
0x4131f8 WaitForInputIdle
0x4131fc SetForegroundWindow
0x413200 GetSysColor
0x413204 PostMessageW
0x413208 LoadBitmapW
0x41320c LoadIconW
0x413210 CharToOemA
0x413214 OemToCharA
0x413218 FindWindowExW
0x41321c wvsprintfA
0x413220 GetParent
0x413224 MapWindowPoints
0x413228 CreateWindowExW
0x41322c UpdateWindow
0x413230 SetWindowTextW
0x413234 LoadCursorW
0x413238 RegisterClassExW
0x41323c SetWindowLongW
0x413240 GetWindowLongW
0x413244 DefWindowProcW
0x413248 PeekMessageW
0x41324c GetMessageW
0x413250 TranslateMessage
0x413254 DispatchMessageW
0x413258 DestroyWindow
0x41325c GetClientRect
0x413260 IsWindow
0x413264 CharToOemBuffW
0x413268 MessageBoxW
0x41326c ShowWindow
0x413270 GetDlgItem
0x413274 EnableWindow
0x413278 OemToCharBuffA
0x41327c CharUpperA
0x413280 CharToOemBuffA
0x413284 LoadStringW
0x413288 SetWindowPos
0x41328c GetWindowTextW
0x413290 GetSystemMetrics
0x413294 GetWindow
0x413298 CharUpperW
0x41329c GetWindowRect
0x4132a0 CopyRect
GDI32.dll
0x413048 GetDeviceCaps
0x41304c GetObjectW
0x413050 CreateCompatibleBitmap
0x413054 SelectObject
0x413058 StretchBlt
0x41305c CreateCompatibleDC
0x413060 DeleteObject
0x413064 DeleteDC
COMDLG32.dll
0x413038 GetOpenFileNameW
0x41303c CommDlgExtendedError
0x413040 GetSaveFileNameW
ADVAPI32.dll
0x413000 RegOpenKeyExW
0x413004 LookupPrivilegeValueW
0x413008 OpenProcessToken
0x41300c RegQueryValueExW
0x413010 RegCreateKeyExW
0x413014 RegSetValueExW
0x413018 RegCloseKey
0x41301c SetFileSecurityW
0x413020 SetFileSecurityA
0x413024 AdjustTokenPrivileges
SHELL32.dll
0x413198 SHChangeNotify
0x41319c ShellExecuteExW
0x4131a0 SHFileOperationW
0x4131a4 SHGetFileInfoW
0x4131a8 SHGetSpecialFolderLocation
0x4131ac SHGetMalloc
0x4131b0 SHBrowseForFolderW
0x4131b4 SHGetPathFromIDListW
ole32.dll
0x4132a8 CreateStreamOnHGlobal
0x4132ac OleInitialize
0x4132b0 CoCreateInstance
0x4132b4 OleUninitialize
0x4132b8 CLSIDFromString
OLEAUT32.dll
0x413190 VariantInit

EAT(Export Address Table) Library

Report - eduroam-ua.exe

Signature (9cnts)

Rules (36cnts)

Network (3cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure