Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 6, 2021, 5:10 p.m.	April 6, 2021, 5:13 p.m.

Size	7.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6be41709f8bfbf06307cc56d04249801`
SHA256	`0099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383`
CRC32	`F4B3FBBE`
ssdeep	`192:3rFqRMky3fM9V7FKI47Wd+h4+0XoQ9DWhL3mj9:3rFqRMh3KlFP47Wd+hr059UL3m`
PDB Path	C:\Users\Test\source\repos\Pastebin Payload\Pastebin Payload\obj\Release\Pastebin Payload.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check

china.png "C:\Users\test22\AppData\Local\Temp\china.png"
2616
- XOgDqunVX46N34uCcUJSJmnx.exe "C:\Users\test22\AppData\Roaming\XOgDqunVX46N34uCcUJSJmnx.exe"
  8084

Name	Response	Post-Analysis Lookup
gwenetha.info	A 172.67.131.232 A 104.21.12.27	172.67.131.232
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.99.190
iplogger.org	A 88.99.66.31	88.99.66.31
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233
whatitis.website

IP Address	Status	Action
104.21.12.27	Active	Moloch
104.23.98.190	Active	Moloch
162.159.129.233	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 6, 2021, 5:10 p.m.			0	0
IsDebuggerPresent April 6, 2021, 5:10 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\Test\source\repos\Pastebin Payload\Pastebin Payload\obj\Release\Pastebin Payload.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2021, 5:10 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/gCyjHCCH
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://gwenetha.info/setup-KGQJ-1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/2LehR6.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Performs some HTTP requests (8 events)

request	GET https://pastebin.com/raw/gCyjHCCH
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
request	GET https://gwenetha.info/setup-KGQJ-1.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
request	GET https://iplogger.org/2LehR6.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0831000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0ecb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0832000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef0834000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9108a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9113c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91166000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9109c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe910ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe911b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9109a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9108b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe910dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe910ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91082000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe911f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe910dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe911f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9109b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91201000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91202000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91203000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91204000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91205000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 6, 2021, 5:10 p.m.	process_identifier: 2616 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91206000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\XOgDqunVX46N34uCcUJSJmnx.exe
file	C:\Users\test22\AppData\Roaming\eVoL6CWPk2GiuV5d2rWq3ZrV.exe
file	C:\Users\test22\AppData\Roaming\pfKACVQFoS0T6HDJ6Ce1XAvH.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\AppData\Roaming\eVoL6CWPk2GiuV5d2rWq3ZrV.exe
file	C:\Users\test22\AppData\Roaming\pfKACVQFoS0T6HDJ6Ce1XAvH.exe
file	C:\Users\test22\AppData\Roaming\XOgDqunVX46N34uCcUJSJmnx.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\XOgDqunVX46N34uCcUJSJmnx.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 6, 2021, 5:10 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JlCRlsppuDBI7ka5QlQ3hW2B9xNetVNj	reg_value	C:\Users\test22\AppData\Roaming\eVoL6CWPk2GiuV5d2rWq3ZrV.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CLCYL5ZultVpcy1N8hXaIB8GFoTOGAXC	reg_value	C:\Users\test22\AppData\Roaming\pfKACVQFoS0T6HDJ6Ce1XAvH.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1MwSIgN3CAHVAkCKDSn1Rs6AN5TglLok	reg_value	C:\Users\test22\AppData\Roaming\XOgDqunVX46N34uCcUJSJmnx.exe

Generates some ICMP traffic

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

MicroWorld-eScan	Gen:Variant.Bulz.406461
FireEye	Generic.mg.6be41709f8bfbf06
McAfee	RDN/Generic Downloader.x
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 004d40511 )
Alibaba	TrojanPSW:MSIL/Racealer.d036ce19
K7GW	Trojan-Downloader ( 004d40511 )
Cybereason	malicious.9f8bfb
Arcabit	Trojan.Bulz.D633BD
Cyren	W32/Trojan.MEWZ-9122
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.BCI
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-PSW.MSIL.Racealer.gen
BitDefender	Gen:Variant.Bulz.406461
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Bulz.406461
Emsisoft	Trojan.Agent (A)
Comodo	Malware@#3tzfnsb5jcfa5
DrWeb	Trojan.Siggen12.62789
VIPRE	Win32.Malware!Drop
McAfee-GW-Edition	RDN/Generic Downloader.x
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Tiny
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.zjrdy
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.vb
Microsoft	Trojan:Win32/Ymacco.AA00
AegisLab	Trojan.Win32.Bulz.4!c
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Racealer.gen
GData	Gen:Variant.Bulz.406461
Cynet	Malicious (score: 90)
AhnLab-V3	Trojan/Win.UN.C4401427
BitDefenderTheta	Gen:NN.ZemsilF.34670.am0@aaeyfup
ALYac	Gen:Variant.Bulz.406461
MAX	malware (ai score=99)
Malwarebytes	Trojan.Downloader.MSIL.Generic
TrendMicro-HouseCall	TROJ_GEN.R002H0CCV21
Rising	Downloader.Agent!8.B23 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.BCI!tr
MaxSecure	Trojan.Malware.74493398.susgen
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/TrojanSpy.Raccoon.HgIASR0A

china.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All