Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 2, 2021, 10:37 a.m.	April 2, 2021, 10:54 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`73e662d533f7469a086abb6ec7de6c94`
SHA256	`0734e8907cb7ff021d602a5046fd6b2b3790ef37113eb2faf3c6e23425e4755c`
CRC32	`4EC75D7A`
ssdeep	`24576:dtj3hcRL6qnSNAeU2cMylR1u+/OaVqunDv7:ORWqniH+7jD`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero

AsyncClientCrypt.exe "C:\Users\test22\AppData\Local\Temp\AsyncClientCrypt.exe"
4656
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"' & exit
5168
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"'
  5992
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp1675.tmp.bat""
4780
- timeout.exe timeout 3
  3968
- clientx.exe "C:\Users\test22\AppData\Roaming\clientx.exe"
  6456
  - clientx.exe "C:\Users\test22\AppData\Roaming\clientx.exe"
    6028

Name	Response	Post-Analysis Lookup
www.google.com	A 172.217.24.196 A 172.217.163.228	172.217.174.100

IP Address	Status	Action
13.107.21.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.163.228	Active	Moloch
172.217.24.196	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 2, 2021, 10:39 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 2, 2021, 10:37 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:37 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:39 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:39 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:39 a.m.			0	0
IsDebuggerPresent April 2, 2021, 10:39 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 2, 2021, 10:39 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW April 2, 2021, 10:39 a.m.	buffer: SUCCESS: The scheduled task "clientx" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:37 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.google.com/
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.bing.com/

Performs some HTTP requests (2 events)

request	GET https://www.google.com/
request	GET https://www.bing.com/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 289 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02101000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02104000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02105000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02106000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02107000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02108000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02109000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 124416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0210e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05831000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f0178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f01a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f01c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f01f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056f0218 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570f15e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570f152 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570ea00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570f16c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570f190 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0570f198 process_handle: 0xffffffff		3221225550

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\clientx.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\clientx.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 2, 2021, 10:37 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 2, 2021, 10:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 2, 2021, 10:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (26 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Create or check mutex	rule	win_mutex
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Listen for incoming communication	rule	network_tcp_listen
description	Create or check mutex	rule	win_mutex
description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"'

Communicates with host for which no DNS query was performed (2 events)

host	13.107.21.200
host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 8728 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
NtAllocateVirtualMemory April 2, 2021, 10:39 a.m.	process_identifier: 6028 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234		3221225496
NtAllocateVirtualMemory April 2, 2021, 10:39 a.m.	process_identifier: 6028 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 2, 2021, 10:37 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	AsyncClientCrypt.exe tried to sleep 8184510 seconds, actually delayed analysis time by 8184510 seconds
description	clientx.exe tried to sleep 8184515 seconds, actually delayed analysis time by 8184515 seconds

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"'

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 manipulating memory of non-child process 8728
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 8728 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0	0

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 injected into non-child 8728
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x00400000 process_identifier: 8728 process_handle: 0x0000023c	1	1	0
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: À`7 base_address: 0x00416000 process_identifier: 8728 process_handle: 0x0000023c	1	1	0
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8728 process_handle: 0x0000023c	1	1	0
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x000b0000 process_identifier: 6028 process_handle: 0x00000234	1	1	0
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: À`7 base_address: 0x000c6000 process_identifier: 6028 process_handle: 0x00000234	1	1	0
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: base_address: 0x7efde008 process_identifier: 6028 process_handle: 0x00000234	1	1	0

Code injection by writing an executable or DLL to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 injected into non-child 8728
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x00400000 process_identifier: 8728 process_handle: 0x0000023c	1	1	0
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x000b0000 process_identifier: 6028 process_handle: 0x00000234	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 called NtSetContextThread to modify thread in remote process 8728
Process injection	Process 6456 called NtSetContextThread to modify thread in remote process 6028
NtSetContextThread April 2, 2021, 10:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 8728	1	0	0
NtSetContextThread April 2, 2021, 10:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 6028	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (2 events)

file	C:\Users\test22\AppData\Local\Temp\AsyncClientCrypt.exe\:Zone.Identifier
file	C:\Users\test22\AppData\Roaming\clientx.exe\:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4656 resumed a thread in remote process 8728
Process injection	Process 4780 resumed a thread in remote process 6456
Process injection	Process 6456 resumed a thread in remote process 6028
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 8728	1	0	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 6456	1	0	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 6028	1	0	0

Executed a process and injected code into it, probably while unpacking (48 events)

Time & API	Arguments	Status	Return
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x000005f4 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x0000063c suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 4656	1	0
NtResumeThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 4656	1	0
CreateProcessInternalW April 2, 2021, 10:37 a.m.	thread_identifier: 8324 thread_handle: 0x00000238 process_identifier: 8728 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\AsyncClientCrypt.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\AsyncClientCrypt.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\AsyncClientCrypt.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000023c	1	1
NtGetContextThread April 2, 2021, 10:37 a.m.	thread_handle: 0x00000238	1	0
NtAllocateVirtualMemory April 2, 2021, 10:37 a.m.	process_identifier: 8728 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000023c	1	0
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x00400000 process_identifier: 8728 process_handle: 0x0000023c	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: base_address: 0x00402000 process_identifier: 8728 process_handle: 0x0000023c	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: base_address: 0x0040e000 process_identifier: 8728 process_handle: 0x0000023c	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: À`7 base_address: 0x00416000 process_identifier: 8728 process_handle: 0x0000023c	1	1
WriteProcessMemory April 2, 2021, 10:38 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 8728 process_handle: 0x0000023c	1	1
NtSetContextThread April 2, 2021, 10:38 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 8728	1	0
NtResumeThread April 2, 2021, 10:38 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 8728	1	0
CreateProcessInternalW April 2, 2021, 10:39 a.m.	thread_identifier: 5860 thread_handle: 0x00000084 process_identifier: 5992 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "clientx" /tr '"C:\Users\test22\AppData\Roaming\clientx.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW April 2, 2021, 10:39 a.m.	thread_identifier: 3456 thread_handle: 0x00000084 process_identifier: 3968 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW April 2, 2021, 10:39 a.m.	thread_identifier: 9112 thread_handle: 0x00000088 process_identifier: 6456 current_directory: filepath: C:\Users\test22\AppData\Roaming\clientx.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\clientx.exe" filepath_r: C:\Users\test22\AppData\Roaming\clientx.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000650 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000664 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 6456	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 6456	1	0
CreateProcessInternalW April 2, 2021, 10:39 a.m.	thread_identifier: 4804 thread_handle: 0x00000228 process_identifier: 6028 current_directory: filepath: C:\Users\test22\AppData\Roaming\clientx.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\clientx.exe" filepath_r: C:\Users\test22\AppData\Roaming\clientx.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000228	1	0
NtAllocateVirtualMemory April 2, 2021, 10:39 a.m.	process_identifier: 6028 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234		3221225496
NtAllocateVirtualMemory April 2, 2021, 10:39 a.m.	process_identifier: 6028 region_size: 98304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#·^à¨f^Ç à@ @ÇWàTb` H.textd§ ¨ `.rsrcTbàdª@@.reloc`@B base_address: 0x000b0000 process_identifier: 6028 process_handle: 0x00000234	1	1
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: base_address: 0x000b2000 process_identifier: 6028 process_handle: 0x00000234	1	1
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: base_address: 0x000be000 process_identifier: 6028 process_handle: 0x00000234	1	1
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: À`7 base_address: 0x000c6000 process_identifier: 6028 process_handle: 0x00000234	1	1
WriteProcessMemory April 2, 2021, 10:39 a.m.	buffer: base_address: 0x7efde008 process_identifier: 6028 process_handle: 0x00000234	1	1
NtSetContextThread April 2, 2021, 10:39 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245342 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 6028	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 6028	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 6028	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 6028	1	0
NtResumeThread April 2, 2021, 10:39 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 6028	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

MicroWorld-eScan	Gen:Variant.Bulz.396289
FireEye	Generic.mg.73e662d533f7469a
CAT-QuickHeal	Trojanpws.Msil
McAfee	PWS-FCWJ!73E662D533F7
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2987033
K7AntiVirus	Trojan ( 0057933d1 )
Alibaba	TrojanPSW:MSIL/Tnega.6aaa2aec
K7GW	Trojan ( 0057933d1 )
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/MSIL_Kryptik.DNS.gen!Eldorado
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.AAAB
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Gen:Variant.Bulz.396289
NANO-Antivirus	Trojan.Win32.Agensla.irhlka
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Bulz.396289
Emsisoft	Trojan.Crypt (A)
DrWeb	Trojan.Inject4.9779
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PCN21
McAfee-GW-Edition	PWS-FCWJ!73E662D533F7
Sophos	Mal/Generic-S
Jiangmin	Trojan.PSW.MSIL.bjrg
Avira	TR/Kryptik.rbaco
Microsoft	Trojan:MSIL/Tnega.RV!MTB
AegisLab	Trojan.MSIL.Agensla.i!c
GData	Gen:Variant.Bulz.396289
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.FormBook.C4371254
BitDefenderTheta	Gen:NN.ZemsilF.34662.Dn0@a4t10Te
ALYac	Gen:Variant.Bulz.396289
MAX	malware (ai score=80)
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	TROJ_GEN.R002C0PCN21
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	Trojan.Kryptik!efPS65bmD/U
Ikarus	Trojan.MSIL.Crypt
Fortinet	MSIL/Kryptik.ZXL!tr
Webroot	W32.Trojan.Gen
AVG	Win32:Malware-gen
Cybereason	malicious.533f74
Panda	Trj/GdSda.A
Qihoo-360	Win32/TrojanSpy.AgentTesla.HwMAGuUA

AsyncClientCrypt.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All