Report - ZeroBOX

ScreenShot


Created	2025.03.13 10:02	Machine	s1_win7_x6401
Filename	MUK.ps1
Type	ASCII text, with very long lines, with CRLF line terminators
AI Score	Not founds	Behavior Score	11.2
ZERO API	file : malware
VT API (file)	12 detected (Countermeasure, DotNetToJScript, Krypt, Attribute, HighConfidence, Zapchast, PSDrop, Detected, Wacatac, Encpe)
md5	50955e71d07cd14cee26f5d7d8d35fbc
sha256	99638548506568949f57638461b2835b203149456ebd6c1cf383cf3d9c0bd358
ssdeep	1536:WLebwaNKvtq/TAokXiW2QbEtvKjCcaI+itoGmBR:hwa9M2QbEtvKjCcaI+itoGK
imphash
impfuzzy

Network IP location

Level	Description
danger	The process powershell.exe wrote an executable file to disk which it then attempted to execute
danger	Executed a process and injected code into it
watch	Allocates execute permission to another process indicative of possible code injection
watch	Communicates with host for which no DNS query was performed
watch	Drops a binary and executes it
watch	File has been identified by 12 AntiVirus engines on VirusTotal as malicious
watch	One or more non-whitelisted processes were created
watch	One or more of the buffers contains an embedded PE file
watch	Potential code injection by writing to the memory of another process
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Level	Name	Description	Collection
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	hide_executable_file	Hide executable file	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	ConfuserEx_Zero	Confuser .NET	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Network_Downloader	File Downloader	memory
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_DLL	(no description)	binaries (download)
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Request	ASN Co	IP4	ZERO ?
http://geoplugin.net/json.gp whois	Schuberg Philis B.V.	178.237.33.50	clean
http://176.65.144.3/dev/muk.exe whois		176.65.144.3	malware
geoplugin.net whois	Schuberg Philis B.V.	178.237.33.50	clean
178.237.33.50 whois	Schuberg Philis B.V.	178.237.33.50	clean
176.65.144.3 whois		176.65.144.3	malware
198.23.227.212 whois	AS-COLOCROSSING	198.23.227.212	clean

Report - MUK.ps1