Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 21, 2025, 9:11 a.m.	March 21, 2025, 9:14 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`cd00eab486d24844b6ae7933c4514271`
SHA256	`75f5e2469a72d156182e4f6136c83d8364aaec5ee3b207f931dc6e7bc600532f`
CRC32	`D734DE49`
ssdeep	`24576:nu6J33O0c+JY5UZ+XC0kGso6FaSm2rQ3uTVW/Tkl2DjWY:hu0c++OCvkGs9FaSVrpTkTkpY`
Yara	Malicious_Library_Zero - Malicious_Library Process_Snapshot_Kill_Zero - Process Kill Zero PE_Header_Zero - PE File Signature FindFirstVolume_Zero - FindFirstVolume Zero CryptGenKey_Zero - CryptGenKey Zero Device_Check_Zero - Device Check Zero IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

vsse.exe "C:\Users\test22\AppData\Local\Temp\vsse.exe"
1072
- svchost.exe "C:\Users\test22\AppData\Local\Temp\vsse.exe"
  2104
calc.exe "C:\Windows\SysWOW64\calc.exe"
2204
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2676
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.vaishnavi.xyz	A 92.204.40.98	92.204.40.98
www.needethereum.xyz	A 13.248.169.48 A 76.223.54.146	13.248.169.48
www.anartisthuman.info	A 208.91.197.27	208.91.197.27
www.multo.xyz	A 13.248.169.48 A 76.223.54.146	76.223.54.146
www.pond-magic.shop	CNAME pond-magic.shop A 3.33.130.190 A 15.197.148.33	3.33.130.190
www.zeniow.xyz	A 209.74.77.230	209.74.77.230
www.temecula.deals	A 15.197.148.33 CNAME temecula.deals A 3.33.130.190	3.33.130.190
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.agistaking.xyz	A 76.223.54.146 A 13.248.169.48	13.248.169.48

IP Address	Status	Action
13.248.169.48	Active	Moloch
15.197.148.33	Active	Moloch
164.124.101.2	Active	Moloch
208.91.197.27	Active	Moloch
209.74.77.230	Active	Moloch
3.33.130.190	Active	Moloch
45.33.6.223	Active	Moloch
76.223.54.146	Active	Moloch
92.204.40.98	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 21, 2025, 9:11 a.m.			0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (16 events)

request	POST http://www.temecula.deals/xwqx/
request	GET http://www.temecula.deals/xwqx/?y_3TV=otmcxnJvFIgVfYDZKBmMxfZ/2Rsfmh5K0YH/99vZ/T7EZjaL7WFZ4hVKC4Doi6q8u50oMvgcqXDIzwm5VvCgIECKPmoYjETr5j8UxgstLIDPhmq1nsbeJqpfQc3YQdHA6Li+eys=&NReKM=nmUcOK
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
request	POST http://www.agistaking.xyz/c8u0/
request	GET http://www.agistaking.xyz/c8u0/?y_3TV=FMJVgFO6r2fqsFEl6TwcqloBaxOFxcVuwnCszuFGPNY4Pf96ze7CheFJaWHnvvI5HUXX1ffPrMdMHGblvRY36kwJ6Z5LjOSq3+UxRnzl3DcT41eA43jrjNZY+mEu3ZZesfo5R+c=&NReKM=nmUcOK
request	POST http://www.anartisthuman.info/q5nb/
request	GET http://www.anartisthuman.info/q5nb/?y_3TV=cbGNT1GwMlz4ZJSziaGZ417O1lPEEGr/otaQaC2lDUNXgkD5XcZBfcFh4bos8p6nBAeLwaWY70PtJ84F2cqIefn38VmVolqA9OM00NydnH4eimiA5ovgMJtFZSZXN9c5ALcOmvE=&NReKM=nmUcOK
request	POST http://www.zeniow.xyz/ia4f/
request	GET http://www.zeniow.xyz/ia4f/?y_3TV=PWKr0tq9ggEA6355c9UyNF2pd7P8mK2dL3BBPgf/WfBkZg8pHvux8cwM5cbL82+ryc47uajX6FH7VUY9gkG/3EWTphbi/Pfl4NQpMu/zjtwuhefdlRmz0+cWQnJKIaegbhRgrPA=&NReKM=nmUcOK
request	POST http://www.multo.xyz/dlol/
request	GET http://www.multo.xyz/dlol/?y_3TV=Vdu1QfmsuFO68GL+Z4x3EHJHVjGIjNF/HVgaJhop4EyQK8uQubyUDtwdOyyNKnabI4xwGbdZuUIxD/VQQoafkwH5Ac9mLu9zmIIuvlxOoy49VxHnP5G+j0sNpXUeFDu2oIGBsSQ=&NReKM=nmUcOK
request	POST http://www.pond-magic.shop/vhzb/
request	GET http://www.pond-magic.shop/vhzb/?y_3TV=utPv65Al4AswLtqgXBb6Y4fTxryMVttJesMXOpbeQKe44HKKs52WpuXeGiT/ACGN6+bMff3De6fwTiZsaGhnqx8sLpUZ6NMur+BKLZ/qQcXmCUHZhzver/1jMPQf6ei06+vySQk=&NReKM=nmUcOK
request	POST http://www.needethereum.xyz/7t1k/
request	GET http://www.needethereum.xyz/7t1k/?y_3TV=FU89ini0gnpj8wdpORJLv3Vt4RH2UdonDWusiqXcZKGzkaK/1F4v6ebYfxiMRK0Sp+KhdTnnXUlQw/F9hhoAQLNA+2u62uYZ6Z5FgcXKgYvRqi64dxV4oyAUMmVAbniMH2jLJf0=&NReKM=nmUcOK
request	POST http://www.vaishnavi.xyz/fepe/

Sends data using the HTTP POST Method (8 events)

request	POST http://www.temecula.deals/xwqx/
request	POST http://www.agistaking.xyz/c8u0/
request	POST http://www.anartisthuman.info/q5nb/
request	POST http://www.zeniow.xyz/ia4f/
request	POST http://www.multo.xyz/dlol/
request	POST http://www.pond-magic.shop/vhzb/
request	POST http://www.needethereum.xyz/7t1k/
request	POST http://www.vaishnavi.xyz/fepe/

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 21, 2025, 9:11 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2025, 9:12 a.m.	process_identifier: 2104 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00880000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2025, 9:12 a.m.	process_identifier: 2104 region_size: 151552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2025, 9:12 a.m.	process_identifier: 2204 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02150000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

calc.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005a200', u'virtual_address': u'0x000c7000', u'entropy': 7.892922674490383, u'name': u'.rsrc', u'virtual_size': u'0x0005a1d0'}

entropy

7.89292267449

description

A section with a high entropy has been found

entropy

0.310374515712

description

Overall entropy of this PE file is high

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 21, 2025, 9:11 a.m.	thread_identifier: 2108 thread_handle: 0x00000134 process_identifier: 2104 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\vsse.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000130	1	1	0

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2104 manipulating memory of non-child process 1888
NtMapViewOfSection March 21, 2025, 9:12 a.m.	section_handle: 0x0000004c process_identifier: 1888 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x03b50000 allocation_type: 0 () section_offset: 0 view_size: 5189632 process_handle: 0x00000050	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 called NtSetContextThread to modify thread in remote process 2104
Process injection	Process 2104 called NtSetContextThread to modify thread in remote process 2204
NtSetContextThread March 21, 2025, 9:11 a.m.	registers.eip: 2005598660 registers.esp: 588600 registers.edi: 0 registers.eax: 4199360 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000134 process_identifier: 2104	1	0	0
NtSetContextThread March 21, 2025, 9:12 a.m.	registers.eip: 2005598660 registers.esp: 719476 registers.edi: 0 registers.eax: 1220144 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000064 process_identifier: 2204	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.AutoIt.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	TrojanPWS.AutoIt.Zbot.S
Skyhigh	BehavesLike.Win32.Formbook.tc
Cylance	Unsafe
VIPRE	Trojan.GenericKD.76102101
Sangfor	Virus.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.76102101
K7GW	Trojan ( 005850dc1 )
K7AntiVirus	Trojan ( 005850dc1 )
Arcabit	Trojan.Generic.D48939D5
VirIT	Trojan.Win32.AutoIt_Heur.L
Symantec	Trojan.Malautoit!g7
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Script:SNH-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Script/Injector.01e15826
MicroWorld-eScan	Trojan.GenericKD.76102101
Rising	Trojan.Injector/Autoit!1.1294D (CLASSIC)
Emsisoft	Trojan.GenericKD.76102101 (B)
F-Secure	Trojan.TR/AD.Swotter.vqxwr
DrWeb	Trojan.AutoIt.1626
TrendMicro	TROJ_GEN.R002C0DCJ25
McAfeeD	ti!75F5E2469A72
CTX	exe.trojan.autoit
Sophos	Troj/AutoIt-DHB
FireEye	Trojan.GenericKD.76102101
Google	Detected
Avira	TR/AD.Swotter.vqxwr
Antiy-AVL	Trojan/Generic.ASMalwFI.6EB0F
Gridinsoft	Ransom.Win32.Zbot.sa
Microsoft	Trojan:Win32/Formbook!rfn
ZoneAlarm	Troj/AutoIt-DHB
GData	Trojan.GenericKD.76102101
Varist	W32/AutoIt.OL.gen!Eldorado
AhnLab-V3	Trojan/AU3.Loader.S2970
McAfee	Artemis!CD00EAB486D2
DeepInstinct	MALICIOUS
Ikarus	Trojan.Autoit
Zoner	Trojan.Win32.179540
TrendMicro-HouseCall	TROJ_GEN.R002C0DCJ25
Tencent	Script.Trojan.Generic.Nqil
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	AutoIt/Injector.GKX!tr
AVG	Script:SNH-gen [Trj]
Paloalto	generic.ml

vsse.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All