Report - ZeroBOX

ScreenShot

Info
Location map


Created	2022.08.26 17:28	Machine	s1_win7_x6401
Filename	kizuna.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	5	Behavior Score	11.6
ZERO API	file : malware
VT API (file)	22 detected (AIDetect, malware2, malicious, moderate confidence, score, Artemis, Unsafe, Starter, InstallPack, Wacatac, Sabsik, Detected, R511719, CLOUD)
md5	10cc003a69a348849797e27eb11d74ea
sha256	fb0faef2d43ab2e360980b2b43483aeb22eefafaba5487e27a10dd91680077c0
ssdeep	49152:8LSihmdK5fDKhE9u4v4nXTjUgVmJQ/MVvvk9W0X4VoX7Z+dlpu4Gekx1:8moEKuE9uBHUgEJpOYo7Z+dlpu46D
imphash	d1de84e4e19e5a9cd49215329c1ce5ba
impfuzzy	96:duwcusYTfChsFzycMVpXpqqrS2rZP+RGIXjqQo/UI:rcusYGsKwESiZP9IXuz/UI

Network IP location

Signature (29cnts)

Level	Description
warning	File has been identified by 22 AntiVirus engines on VirusTotal as malicious
watch	A process attempted to delay the analysis task.
watch	Installs itself for autorun at Windows startup
watch	Looks for the Windows Idle Time to determine the uptime
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
watch	The process powershell.exe wrote an executable file to disk
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Creates executable files on the filesystem
notice	Creates hidden or system file
notice	Drops a binary and executes it
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice	Terminates another process
notice	Uses Windows utilities for basic Windows functionality
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	Queries for the computername
info	The executable uses a known packer
info	The file contains an unknown PE resource name possibly indicative of a packer
info	Uses Windows APIs to generate a cryptographic key

Rules (54cnts)

Level	Name	Description	Collection
danger	NPKI_Zero	File included NPKI	binaries (download)
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Library_Zero	Malicious_Library	binaries (upload)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	Network_Downloader	File Downloader	memory
watch	schtasks_Zero	task schedule	memory
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
watch	Win32_Trojan_PWS_Net_1_Zero	Win32 Trojan PWS .NET Azorult	binaries (download)
notice	Code_injection	Code injection with CreateRemoteThread in a remote process	memory
notice	Create_Service	Create a windows service	memory
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
notice	local_credential_Steal	Steal credential	memory
notice	Network_DGA	Communication using DGA	memory
notice	Network_DNS	Communications use DNS	memory
notice	Network_FTP	Communications over FTP	memory
notice	Network_HTTP	Communications over HTTP	memory
notice	Network_P2P_Win	Communications over P2P network	memory
notice	Network_TCP_Socket	Communications over RAW Socket	memory
notice	Persistence	Install itself for autorun at Windows startup	memory
notice	ScreenShot	Take ScreenShot	memory
notice	Sniff_Audio	Record Audio	memory
notice	Str_Win32_Http_API	Match Windows Http API call	memory
notice	Str_Win32_Internet_API	Match Windows Inet API call	memory
info	anti_dbg	Checks if being debugged	memory
info	antisb_threatExpert	Anti-Sandbox checks for ThreatExpert	memory
info	Check_Dlls	(no description)	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerCheck__RemoteAPI	(no description)	memory
info	DebuggerException__ConsoleCtrl	(no description)	memory
info	DebuggerException__SetConsoleCtrl	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	Is_DotNET_EXE	(no description)	binaries (download)
info	IsDLL	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	IsPE64	(no description)	binaries (download)
info	Microsoft_Office_File_Zero	Microsoft Office File	binaries (download)
info	OS_Processor_Check_Zero	OS Processor Check	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory
info	vmdetect_misc	Following Rule is referenced from AlienVault's Yara rule repository.This rule contains additional processes and driver names.	memory
info	win_hook	Affect hook table	memory
info	Win_Backdoor_AsyncRAT_Zero	Win Backdoor AsyncRAT	binaries (download)

Network (13cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
https://pastebin.com/raw/w8m1pCNu whois	CLOUDFLARENET	104.20.68.143		clean
https://github.com/S1lentHash/file_to_dwnld/raw/main/WinRing0x64.sys whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		clean
https://raw.githubusercontent.com/S1lentHash/newwatch/main/NewNewWatch.exe whois	FASTLY	185.199.110.133	21518	malware
https://github.com/S1lentHash/xmrig/raw/main/xmrig.exe whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247	21520	malware
https://github.com/S1lentHash/newwatch/raw/main/NewNewWatch.exe whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247	21519	malware
https://raw.githubusercontent.com/S1lentHash/file_to_dwnld/main/WinRing0x64.sys whois	FASTLY	185.199.110.133		clean
https://raw.githubusercontent.com/S1lentHash/xmrig/main/xmrig.exe whois	FASTLY	185.199.110.133	21521	mailcious
github.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		mailcious
raw.githubusercontent.com whois	FASTLY	185.199.111.133		malware
pastebin.com whois	CLOUDFLARENET	172.67.34.170		mailcious
185.199.110.133 whois	FASTLY	185.199.110.133		malware
104.20.68.143 whois	CLOUDFLARENET	104.20.68.143		mailcious
20.200.245.247 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.200.245.247		malware

Suricata ids

PE API

IAT(Import Address Table) Library

COMCTL32.dll
0x419010 None
SHELL32.dll
0x419260 SHGetSpecialFolderPathW
0x419264 ShellExecuteW
0x419268 SHGetMalloc
0x41926c SHGetPathFromIDListW
0x419270 SHBrowseForFolderW
0x419274 SHGetFileInfoW
0x419278 ShellExecuteExW
GDI32.dll
0x419018 CreateCompatibleDC
0x41901c CreateFontIndirectW
0x419020 DeleteObject
0x419024 DeleteDC
0x419028 GetCurrentObject
0x41902c StretchBlt
0x419030 GetDeviceCaps
0x419034 CreateCompatibleBitmap
0x419038 SelectObject
0x41903c SetStretchBltMode
0x419040 GetObjectW
ADVAPI32.dll
0x419000 FreeSid
0x419004 AllocateAndInitializeSid
0x419008 CheckTokenMembership
USER32.dll
0x419280 ScreenToClient
0x419284 CreateWindowExW
0x419288 GetClassNameA
0x41928c GetMessageW
0x419290 DispatchMessageW
0x419294 GetWindowRect
0x419298 DestroyWindow
0x41929c CharUpperW
0x4192a0 EndDialog
0x4192a4 SendMessageW
0x4192a8 wsprintfW
0x4192ac MessageBoxW
0x4192b0 GetParent
0x4192b4 CopyImage
0x4192b8 ReleaseDC
0x4192bc GetWindowDC
0x4192c0 SetWindowPos
0x4192c4 GetMenu
0x4192c8 KillTimer
0x4192cc wsprintfA
0x4192d0 GetWindowTextW
0x4192d4 GetWindowTextLengthW
0x4192d8 SetWindowTextW
0x4192dc GetSysColor
0x4192e0 MessageBoxA
0x4192e4 GetKeyState
0x4192e8 GetDlgItem
0x4192ec GetClientRect
0x4192f0 SetWindowLongW
0x4192f4 UnhookWindowsHookEx
0x4192f8 SetFocus
0x4192fc GetSystemMetrics
0x419300 SystemParametersInfoW
0x419304 ShowWindow
0x419308 DrawTextW
0x41930c GetDC
0x419310 ClientToScreen
0x419314 GetWindow
0x419318 DialogBoxIndirectParamW
0x41931c DrawIconEx
0x419320 CallWindowProcW
0x419324 DefWindowProcW
0x419328 CallNextHookEx
0x41932c PtInRect
0x419330 SetWindowsHookExW
0x419334 LoadImageW
0x419338 LoadIconW
0x41933c MessageBeep
0x419340 EnableWindow
0x419344 IsWindow
0x419348 EnableMenuItem
0x41934c GetSystemMenu
0x419350 wvsprintfW
0x419354 GetWindowLongW
0x419358 SetTimer
ole32.dll
0x419360 CreateStreamOnHGlobal
0x419364 CoCreateInstance
0x419368 CoInitialize
OLEAUT32.dll
0x419250 VariantClear
0x419254 SysAllocStringLen
0x419258 OleLoadPicture
KERNEL32.dll
0x419048 WaitForMultipleObjects
0x41904c DeleteCriticalSection
0x419050 EnterCriticalSection
0x419054 VirtualFree
0x419058 GetModuleHandleA
0x41905c LeaveCriticalSection
0x419060 VirtualAlloc
0x419064 GetFileInformationByHandle
0x419068 SetEndOfFile
0x41906c SetFileTime
0x419070 ReadFile
0x419074 SetFilePointer
0x419078 GetFileSize
0x41907c FormatMessageW
0x419080 lstrcpyW
0x419084 LocalFree
0x419088 IsBadReadPtr
0x41908c SuspendThread
0x419090 TerminateThread
0x419094 GetSystemDirectoryW
0x419098 GetCurrentThreadId
0x41909c InitializeCriticalSection
0x4190a0 ResetEvent
0x4190a4 SetEvent
0x4190a8 CreateEventW
0x4190ac GetVersionExW
0x4190b0 GetModuleFileNameW
0x4190b4 GetCurrentProcess
0x4190b8 SetProcessWorkingSetSize
0x4190bc SetCurrentDirectoryW
0x4190c0 GetDriveTypeW
0x4190c4 CreateFileW
0x4190c8 GetCommandLineW
0x4190cc GetStartupInfoW
0x4190d0 CreateProcessW
0x4190d4 CreateJobObjectW
0x4190d8 ResumeThread
0x4190dc AssignProcessToJobObject
0x4190e0 CreateIoCompletionPort
0x4190e4 SetInformationJobObject
0x4190e8 GetQueuedCompletionStatus
0x4190ec GetExitCodeProcess
0x4190f0 SetEnvironmentVariableW
0x4190f4 GetTempPathW
0x4190f8 CloseHandle
0x4190fc SetThreadLocale
0x419100 lstrlenW
0x419104 GetSystemTimeAsFileTime
0x419108 ExpandEnvironmentStringsW
0x41910c CompareFileTime
0x419110 WideCharToMultiByte
0x419114 FindFirstFileW
0x419118 lstrcmpW
0x41911c DeleteFileW
0x419120 FindNextFileW
0x419124 FindClose
0x419128 RemoveDirectoryW
0x41912c GetEnvironmentVariableW
0x419130 lstrcmpiW
0x419134 GetLocaleInfoW
0x419138 MultiByteToWideChar
0x41913c GetUserDefaultUILanguage
0x419140 GetSystemDefaultUILanguage
0x419144 GetSystemDefaultLCID
0x419148 lstrcmpiA
0x41914c GlobalAlloc
0x419150 GlobalFree
0x419154 MulDiv
0x419158 FindResourceExA
0x41915c SizeofResource
0x419160 LoadResource
0x419164 LockResource
0x419168 ExitProcess
0x41916c lstrcatW
0x419170 GetDiskFreeSpaceExW
0x419174 SetFileAttributesW
0x419178 SetLastError
0x41917c Sleep
0x419180 GetExitCodeThread
0x419184 WaitForSingleObject
0x419188 CreateThread
0x41918c GetLastError
0x419190 SystemTimeToFileTime
0x419194 GetLocalTime
0x419198 GetFileAttributesW
0x41919c CreateDirectoryW
0x4191a0 lstrlenA
0x4191a4 WriteFile
0x4191a8 GetStdHandle
0x4191ac GetModuleHandleW
0x4191b0 GetProcAddress
0x4191b4 LoadLibraryA
0x4191b8 GetStartupInfoA
MSVCRT.dll
0x4191c0 _purecall
0x4191c4 memcmp
0x4191c8 ??2@YAPAXI@Z
0x4191cc memmove
0x4191d0 memcpy
0x4191d4 _wtol
0x4191d8 _controlfp
0x4191dc _except_handler3
0x4191e0 __set_app_type
0x4191e4 __p__fmode
0x4191e8 __p__commode
0x4191ec _adjust_fdiv
0x4191f0 __setusermatherr
0x4191f4 _initterm
0x4191f8 __getmainargs
0x4191fc _acmdln
0x419200 exit
0x419204 _XcptFilter
0x419208 _exit
0x41920c ??1type_info@@UAE@XZ
0x419210 _onexit
0x419214 __dllonexit
0x419218 malloc
0x41921c free
0x419220 wcscmp
0x419224 wcsstr
0x419228 _CxxThrowException
0x41922c _beginthreadex
0x419230 _EH_prolog
0x419234 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
0x419238 memset
0x41923c _wcsnicmp
0x419240 strncmp
0x419244 wcsncmp
0x419248 ??3@YAXPAX@Z

EAT(Export Address Table) is none

Report - kizuna.exe

Signature (29cnts)

Rules (54cnts)

Network (13cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure