Report - ZeroBOX

ScreenShot


Created	2025.03.13 09:47	Machine	s1_win7_x6403
Filename	MKBOY.ps1
Type	ASCII text, with very long lines, with CRLF line terminators
AI Score	Not founds	Behavior Score	11.2
ZERO API	file : clean
VT API (file)	17 detected (powershell, msilheracles, many, Zapchast, PSDrop, Detected, Wacatac, ShellLoader)
md5	f3848b1d0ad73445ff208123c109b3a3
sha256	9cf1fdb10c69abf321636907171418f4ca79917c2a280fb1d7216fcb99fd2339
ssdeep	1536:nRqPkug6bnczC/2OuzoUZ69eAw4i+RGhCvn9iIHFEecSK:c1GEuEUZIw4i+RGhCv9iIHFEe8
imphash
impfuzzy

Network IP location

Level	Description
danger	The process powershell.exe wrote an executable file to disk which it then attempted to execute
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Drops a binary and executes it
watch	File has been identified by 17 AntiVirus engines on VirusTotal as malicious
watch	One or more non-whitelisted processes were created
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Level	Name	Description	Collection
danger	Win_Trojan_Formbook_Zero	Used Formbook	binaries (upload)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	hide_executable_file	Hide executable file	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	ConfuserEx_Zero	Confuser .NET	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Network_Downloader	File Downloader	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_DLL	(no description)	binaries (download)
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Request	ASN Co	IP4	ZERO ?
http://geoplugin.net/json.gp whois	Schuberg Philis B.V.	178.237.33.50	clean
http://176.65.144.3/dev/muk.exe whois		176.65.144.3	clean
geoplugin.net whois	Schuberg Philis B.V.	178.237.33.50	clean
178.237.33.50 whois	Schuberg Philis B.V.	178.237.33.50	clean
176.65.144.3 whois		176.65.144.3	malware
198.23.227.212 whois	AS-COLOCROSSING	198.23.227.212	clean

Report - MKBOY.ps1