Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 12, 2021, 10:41 a.m.	April 12, 2021, 10:44 a.m.

Size	43.3KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a7f014f4fe566e48e794b79661aef18e`
SHA256	`712c1077c77ff7e4f69fc4184c29b82b796fe0103204dd95b3a620cb64005ac8`
CRC32	`F6418DE2`
ssdeep	`768:5XBGhg2XVlqtbymWLGGfl/Gflvx/FIwJGun51uvZS8rhu:5XBGhRXVlqtBgZS8U`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) HasOverlay - Overlay Check

mazx.exe "C:\Users\test22\AppData\Local\Temp\mazx.exe"
8564

Name	Response	Post-Analysis Lookup
asdcqwdwqx.gq	A 172.67.160.253 A 104.21.15.11	104.21.15.11

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
172.67.160.253	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 12, 2021, 10:41 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 12, 2021, 10:41 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2021, 10:41 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:41 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:41 a.m.			0	0
IsDebuggerPresent April 12, 2021, 10:41 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2021, 10:41 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2C22351F713CEE29DFD4FCCADD4D4364.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8DBD5B040DB5405A655876B8B321043.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E605B6C9826FFAFDD6E622A660B7F5DA.html

Performs some HTTP requests (3 events)

request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2C22351F713CEE29DFD4FCCADD4D4364.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A8DBD5B040DB5405A655876B8B321043.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E605B6C9826FFAFDD6E622A660B7F5DA.html

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2021, 10:41 a.m.	process_identifier: 8564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 12, 2021, 10:41 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36617220
FireEye	Generic.mg.a7f014f4fe566e48
CAT-QuickHeal	Trojan.Agenttesla
ALYac	Trojan.GenericKD.36617220
Cylance	Unsafe
Zillya	Downloader.Agent.Win32.432125
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 00579fb51 )
Alibaba	TrojanDownloader:MSIL/AgentTesla.66022acf
K7GW	Trojan-Downloader ( 00579fb51 )
Cybereason	malicious.fff679
Arcabit	Trojan.Generic.D22EBC04
BitDefenderTheta	Gen:NN.ZemsilF.34670.cm1@ae3k7ej
Cyren	W32/MSIL_Kryptik.DNB.gen!Eldorado
Symantec	Trojan Horse
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HRD
TrendMicro-HouseCall	Backdoor.MSIL.AGENSLA.USMAND221
Avast	Win32:DangerousSig [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.36617220
NANO-Antivirus	Trojan.Win32.Agensla.itklpm
Paloalto	generic.ml
Tencent	Win32.Trojan.Inject.Auto
Ad-Aware	Trojan.GenericKD.36617220
Sophos	Mal/Generic-S
Comodo	Malware@#kesjxy531p6y
DrWeb	Trojan.DownLoader38.19635
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	RDN/Generic Downloader.x
Emsisoft	Trojan.GenericKD.36617220 (B)
APEX	Malicious
Jiangmin	Trojan.PSW.MSIL.bkmh
Avira	TR/Dldr.Agent.hrkgm
MAX	malware (ai score=100)
Kingsoft	Win32.Heur.KVM019.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.oa
Microsoft	TrojanDownloader:MSIL/AgentTesla.QV!MTB
AegisLab	Trojan.MSIL.Agensla.i!c
GData	Trojan.GenericKD.36617220
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Kryptik.C4399405
McAfee	RDN/Generic Downloader.x
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.MalPack
Ikarus	Trojan-Downloader.MSIL.Agent
Rising	Downloader.Agent!8.B23 (CLOUD)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.74499699.susgen
Fortinet	MSIL/Agent.HQY!tr.dldr

mazx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All