Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	April 7, 2021, 10:24 a.m.	April 7, 2021, 10:26 a.m.

Size	7.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6be41709f8bfbf06307cc56d04249801`
SHA256	`0099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383`
CRC32	`F4B3FBBE`
ssdeep	`192:3rFqRMky3fM9V7FKI47Wd+h4+0XoQ9DWhL3mj9:3rFqRMh3KlFP47Wd+hr059UL3m`
PDB Path	C:\Users\Test\source\repos\Pastebin Payload\Pastebin Payload\obj\Release\Pastebin Payload.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check

china.png "C:\Users\Administrator\AppData\Local\Temp\china.png"
6816
- ntvdm.exe "C:\Windows\system32\ntvdm.exe" -i1
  3588
- 4cyffNBgV9LsnVkncd4CV4aa.exe "C:\Users\Administrator\AppData\Roaming\4cyffNBgV9LsnVkncd4CV4aa.exe"
  3316

Name	Response	Post-Analysis Lookup
gwenetha.info	A 172.67.131.232 A 104.21.12.27	104.21.12.27
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
iplogger.org	A 88.99.66.31	88.99.66.31
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233
whatitis.website

IP Address	Status	Action
104.21.12.27	Active	Moloch
104.23.99.190	Active	Moloch
162.159.129.233	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 7, 2021, 10:24 a.m.			0	0
IsDebuggerPresent April 7, 2021, 10:24 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Test\source\repos\Pastebin Payload\Pastebin Payload\obj\Release\Pastebin Payload.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2021, 10:24 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/gCyjHCCH
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://gwenetha.info/setup-KGQJ-1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Performs some HTTP requests (7 events)

request	GET https://pastebin.com/raw/gCyjHCCH
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826855866228670474/7525b875715555.exe
request	GET https://cdn.discordapp.com/attachments/826198252025675816/826538114838298715/install_setupVPSfree.exe
request	GET https://gwenetha.info/setup-KGQJ-1.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826469949593485312/file.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826531006563352596/Bussed_2021-03-30_21-01.exe
request	GET https://cdn.discordapp.com/attachments/826416818390040589/826540039764705360/7525b875713675d4ff0018cf084f493a4e4977de_2021-03-30_22-25.exe

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a151000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a152000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 6816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 106496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00110000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00111000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00114000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00115000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00116000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00117000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00118000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00119000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3588 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00256000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 7, 2021, 10:24 a.m.	process_identifier: 3316 region_size: 593920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x017c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Administrator\AppData\Roaming\4cyffNBgV9LsnVkncd4CV4aa.exe
file	C:\Users\Administrator\AppData\Roaming\jzwLhftDCiRb4N0AAnXY3Uil.exe

Drops a binary and executes it (2 events)

file	C:\Users\Administrator\AppData\Roaming\jzwLhftDCiRb4N0AAnXY3Uil.exe
file	C:\Users\Administrator\AppData\Roaming\4cyffNBgV9LsnVkncd4CV4aa.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Roaming\4cyffNBgV9LsnVkncd4CV4aa.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 7, 2021, 10:24 a.m.	flags: 15 family: 0		111	0

Checks for the presence of known windows from debuggers and forensic tools (1 event)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 7, 2021, 10:24 a.m.	class_name: ConsoleWindowClass window_name: ntvdm-e04.9f0.1f48	1	328378	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oII6b3RORKQErOiygvG5CHXpCu5ZZfQA				reg_value	C:\Users\Administrator\AppData\Roaming\jzwLhftDCiRb4N0AAnXY3Uil.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY1WEEFbr6bcEg5O4FfjyeXgvc4r71yv				reg_value	C:\Users\Administrator\AppData\Roaming\4cyffNBgV9LsnVkncd4CV4aa.exe

Detects VirtualBox through the presence of a registry key (2 events)

registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
registry	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers\VDD

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

DrWeb	Trojan.Siggen12.62789
MicroWorld-eScan	Gen:Variant.Bulz.406461
FireEye	Generic.mg.6be41709f8bfbf06
CAT-QuickHeal	Backdoor.Bladabindi
Qihoo-360	Win32/TrojanSpy.Raccoon.HgIASR0A
McAfee	RDN/Generic Downloader.x
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 004d40511 )
Alibaba	TrojanPSW:MSIL/Racealer.d036ce19
K7GW	Trojan-Downloader ( 004d40511 )
Cybereason	malicious.9f8bfb
Arcabit	Trojan.Bulz.D633BD
BitDefenderTheta	Gen:NN.ZemsilF.34670.am0@aaeyfup
Cyren	W32/Trojan.MEWZ-9122
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.BCI
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan-PSW.MSIL.Racealer.gen
BitDefender	Gen:Variant.Bulz.406461
Paloalto	generic.ml
AegisLab	Trojan.Win32.Bulz.4!c
Rising	Downloader.Agent!8.B23 (CLOUD)
Ad-Aware	Gen:Variant.Bulz.406461
Emsisoft	Trojan.Agent (A)
Comodo	Malware@#3tzfnsb5jcfa5
VIPRE	Win32.Malware!Drop
McAfee-GW-Edition	RDN/Generic Downloader.x
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	TR/Dldr.Agent.zjrdy
MAX	malware (ai score=99)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.vb
Microsoft	Trojan:Win32/Ymacco.AA00
ViRobot	Trojan.Win32.Z.Bulz.7680.AZ
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Racealer.gen
GData	Gen:Variant.Bulz.406461
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.UN.C4401427
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Bulz.406461
Malwarebytes	Trojan.Downloader
TrendMicro-HouseCall	TROJ_GEN.R002H0CCV21
Yandex	Trojan.DL.Agent!lSIlTlp2Mck
Ikarus	Trojan.MSIL.Tiny
Fortinet	MSIL/Agent.BCI!tr
AVG	Win32:DropperX-gen [Drp]

china.png

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All