Cuckoo Sandbox

File 01152-11-12-24.rar

Summary
Download Resubmit sample

Size	717.1KB
Type	RAR archive data, v5
MD5	`fa42e59d43e15adce2510610d069b02b`
SHA1	`b6c270cdae1118b21683a341480122af95ce8f7d`
SHA256	`c2fbf872d07e45eed6245595d85a7600081a1560b1a516311737ba6275c9a449`
SHA512	`7dba8e85fc411bdb3769b57b4f95d5ff2bcbdad65e1c0081620dc42ea8de0fa6815881daa054adecf2a7eadaf35021074cc1574af8c95b421882b1cbf2f04165`
CRC32	`CB93B00C`
ssdeep	`None`
Yara	None matched

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Dec. 14, 2024, 4:55 p.m.	Dec. 14, 2024, 5:02 p.m.	397 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2024-12-11 10:30:02,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpriinqn
2024-12-11 10:30:02,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\cQAzFGPpoLvYAUOUTNmAm
2024-12-11 10:30:02,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\rPzIGVVyYIMzqWPivShUcQnIZWsRLPS
2024-12-11 10:30:02,328 [analyzer] DEBUG: Started auxiliary module Curtain
2024-12-11 10:30:02,328 [analyzer] DEBUG: Started auxiliary module DbgView
2024-12-11 10:30:02,780 [analyzer] DEBUG: Started auxiliary module Disguise
2024-12-11 10:30:03,000 [analyzer] DEBUG: Loaded monitor into process with pid 512
2024-12-11 10:30:03,000 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2024-12-11 10:30:03,000 [analyzer] DEBUG: Started auxiliary module Human
2024-12-11 10:30:03,000 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2024-12-11 10:30:03,000 [analyzer] DEBUG: Started auxiliary module Reboot
2024-12-11 10:30:03,062 [analyzer] DEBUG: Started auxiliary module RecentFiles
2024-12-11 10:30:03,062 [analyzer] DEBUG: Started auxiliary module Screenshots
2024-12-11 10:30:03,062 [analyzer] DEBUG: Started auxiliary module Sysmon
2024-12-11 10:30:03,062 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2024-12-11 10:30:03,062 [modules.packages.rar] INFO: None
2024-12-11 10:30:03,203 [modules.packages.rar] DEBUG: Missing file option, auto executing: 01152-11-12-24.exe
2024-12-11 10:30:03,375 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\01152-11-12-24.exe' with arguments '' and pid 576
2024-12-11 10:30:03,640 [analyzer] DEBUG: Loaded monitor into process with pid 576
2024-12-11 10:30:03,750 [analyzer] INFO: Added new file to list with pid 576 and path C:\Users\Administrator\AppData\Local\Temp\autD61E.tmp
2024-12-11 10:30:06,546 [analyzer] INFO: Injected into process with pid 2808 and name u'svchost.exe'
2024-12-11 10:30:06,905 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 576.
2024-12-11 10:30:06,921 [analyzer] DEBUG: Loaded monitor into process with pid 2808
2024-12-11 10:30:07,405 [analyzer] INFO: Process with pid 576 has terminated
2024-12-11 10:30:32,405 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2024-12-11 10:30:32,608 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2808.
2024-12-11 10:30:32,921 [analyzer] INFO: Terminating remaining processes before shutdown.
2024-12-11 10:30:32,921 [lib.api.process] INFO: Successfully terminated process with pid 2808.
2024-12-11 10:30:32,921 [analyzer] INFO: Analysis completed.

Cuckoo Log

2024-12-14 16:55:57,184 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:55:58,210 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:55:59,234 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:00,265 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:01,289 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:02,347 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:03,368 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:04,390 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:05,416 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:06,457 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:07,513 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:08,587 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:09,636 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:10,681 [cuckoo.core.scheduler] DEBUG: Task #5654380: no machine available yet
2024-12-14 16:56:11,835 [cuckoo.core.scheduler] INFO: Task #5654380: acquired machine win7x6426 (label=win7x6426)
2024-12-14 16:56:11,837 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.226 for task #5654380
2024-12-14 16:56:12,170 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 228393 (interface=vboxnet0, host=192.168.168.226)
2024-12-14 16:56:12,200 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6426
2024-12-14 16:56:12,796 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6426 to vmcloak
2024-12-14 16:59:52,324 [cuckoo.core.guest] INFO: Starting analysis #5654380 on guest (id=win7x6426, ip=192.168.168.226)
2024-12-14 16:59:53,329 [cuckoo.core.guest] DEBUG: win7x6426: not ready yet
2024-12-14 16:59:58,351 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6426, ip=192.168.168.226)
2024-12-14 16:59:58,439 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6426, ip=192.168.168.226, monitor=latest, size=6660546)
2024-12-14 16:59:59,730 [cuckoo.core.resultserver] DEBUG: Task #5654380: live log analysis.log initialized.
2024-12-14 17:00:00,683 [cuckoo.core.resultserver] DEBUG: Task #5654380 is sending a BSON stream
2024-12-14 17:00:01,337 [cuckoo.core.resultserver] DEBUG: Task #5654380 is sending a BSON stream
2024-12-14 17:00:01,535 [cuckoo.core.resultserver] DEBUG: Task #5654380: File upload for 'files/5cc75da4a0171753_autD61E.tmp'
2024-12-14 17:00:01,653 [cuckoo.core.resultserver] DEBUG: Task #5654380 uploaded file length: 289280
2024-12-14 17:00:01,985 [cuckoo.core.resultserver] DEBUG: Task #5654380: File upload for 'shots/0001.jpg'
2024-12-14 17:00:01,996 [cuckoo.core.resultserver] DEBUG: Task #5654380 uploaded file length: 133624
2024-12-14 17:00:04,592 [cuckoo.core.resultserver] DEBUG: Task #5654380 is sending a BSON stream
2024-12-14 17:00:14,472 [cuckoo.core.guest] DEBUG: win7x6426: analysis #5654380 still processing
2024-12-14 17:00:29,571 [cuckoo.core.guest] DEBUG: win7x6426: analysis #5654380 still processing
2024-12-14 17:00:30,473 [cuckoo.core.resultserver] DEBUG: Task #5654380: File upload for 'curtain/1733909432.72.curtain.log'
2024-12-14 17:00:30,477 [cuckoo.core.resultserver] DEBUG: Task #5654380 uploaded file length: 36
2024-12-14 17:00:30,625 [cuckoo.core.resultserver] DEBUG: Task #5654380: File upload for 'sysmon/1733909432.88.sysmon.xml'
2024-12-14 17:00:30,667 [cuckoo.core.resultserver] DEBUG: Task #5654380 uploaded file length: 1830330
2024-12-14 17:00:30,801 [cuckoo.core.resultserver] DEBUG: Task #5654380 had connection reset for <Context for LOG>
2024-12-14 17:00:32,597 [cuckoo.core.guest] INFO: win7x6426: analysis completed successfully
2024-12-14 17:00:32,614 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2024-12-14 17:00:32,648 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2024-12-14 17:00:33,618 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6426 to path /srv/cuckoo/cwd/storage/analyses/5654380/memory.dmp
2024-12-14 17:00:33,619 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6426
2024-12-14 17:02:34,487 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.226 for task #5654380
2024-12-14 17:02:34,879 [cuckoo.core.scheduler] DEBUG: Released database task #5654380
2024-12-14 17:02:34,896 [cuckoo.core.scheduler] INFO: Task #5654380: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 11, 2024, 11:30 a.m.	process_identifier: 576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011a6000 process_handle: 0xffffffff	1	0	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2024, 11:30 a.m.			0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Dec. 11, 2024, 11:30 a.m.	thread_identifier: 2032 thread_handle: 0x00000134 process_identifier: 2808 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: "C:\Users\Administrator\AppData\Local\Temp\01152-11-12-24.exe" filepath_r: C:\Windows\System32\svchost.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000130	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection

Process 576 called NtSetContextThread to modify thread in remote process 2808

Time & API	Arguments	Status	Return	Repeated
NtSetContextThread Dec. 11, 2024, 11:30 a.m.	registers.eip: 2005008820 registers.esp: 851896 registers.edi: 0 registers.eax: 4199376 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000134 process_identifier: 2808	1	0	0

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Trojan.Generic.37170472 (Engine A)
Avast Core Security (Linux)	Win32:Malware-gen
C4S ClamAV (Linux)	C4S.MALWARE.SHA256.AUTOGEN.61491051.UNOFFICIAL
F-Secure Antivirus (Linux)	Trojan.TR/AD.Swotter.ljbhu [Aquarius]
Windows Defender (Windows)	Trojan:Win32/AutoitInject.HNA!MTB
Forticlient (Linux)	PossibleThreat.FORTIEDR.H
Sophos Anti-Virus (Linux)	Troj/AutoIt-DHB
eScan Antivirus (Linux)	Trojan.Generic.37170472(DB)
ESET Security (Windows)	Win32/Formbook.AK trojan
DrWeb Antivirus (Linux)	Trojan.Inject5.13350
Bitdefender Antivirus (Linux)	Trojan.Generic.37170472
Kaspersky Standard (Windows)	Trojan.Win32.Injuke.onba
Emsisoft Commandline Scanner (Windows)	Trojan.Generic.37170472 (B)

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

CAT-QuickHeal	TrojanPWS.AutoIt.Zbot.S
Malwarebytes	Trojan.Injector.AutoIt
VirIT	Trojan.Win32.Banker1.CBKV
Sophos	Troj/AutoIt-DHB
Google	Detected
Varist	W32/AutoIt.OL.gen!Eldorado
VBA32	Trojan.Autoit.Shellcrun

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 01152-11-12-24.rar

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample