Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 30, 2021, 5:56 p.m.	April 30, 2021, 6:12 p.m.

Size	220.8KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`fd0e7153869bad651ae4ae4f1dbef3da`
SHA256	`37f96df377557cad9bdb2caa4064bbf4dd862e935a64e1d802d445358695e15c`
CRC32	`9A44E8A7`
ssdeep	`3072:X/tXBuDm4Diw4GUZN7u1NPa5y7V6BRxA4J71pUofS8ypYAxBWA3VcuVdxrz80Qez:X/KbORIaQHuA36cdx8Vf1YGKz+vChG+`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description) Win_Trojan_AgentTesla_IN_Zero - Win Trojan AgentTesla

IMG_0540001825.exe C:\Users\test22\AppData\Local\Temp\IMG_0540001825.exe
2300

Name	Response	Post-Analysis Lookup
5azc.club

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 30, 2021, 6:10 p.m.	computer_name: TEST22-PC	1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 30, 2021, 6:11 p.m.	stacktrace: img_0540001825+0x1e87d @ 0x41e87d img_0540001825+0x1e94c @ 0x41e94c img_0540001825+0x1eba0 @ 0x41eba0 img_0540001825+0x1ec51 @ 0x41ec51 img_0540001825+0x2109d @ 0x42109d img_0540001825+0x21429 @ 0x421429 img_0540001825+0x7128 @ 0x407128 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 3871308 registers.edi: 0 registers.eax: 3871392 registers.ebp: 3871968 registers.edx: 3871932 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 2431048	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 30, 2021, 6:11 p.m.

stacktrace:

img_0540001825+0x1e87d @ 0x41e87d
img_0540001825+0x1e94c @ 0x41e94c
img_0540001825+0x1eba0 @ 0x41eba0
img_0540001825+0x1ec51 @ 0x41ec51
img_0540001825+0x2109d @ 0x42109d
img_0540001825+0x21429 @ 0x421429
img_0540001825+0x7128 @ 0x407128
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 3871308
registers.edi: 0
registers.eax: 3871392
registers.ebp: 3871968
registers.edx: 3871932
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 2431048

Steals private information from local Internet browsers (1 event)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00030800', u'virtual_address': u'0x00002000', u'entropy': 7.944209506995661, u'name': u'.text', u'virtual_size': u'0x00030647'}

entropy

7.944209507

description

A section with a high entropy has been found

entropy

0.912941176471

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://discord.com/

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

MicroWorld-eScan	Gen:Variant.Bulz.454970
FireEye	Generic.mg.fd0e7153869bad65
McAfee	GenericRXOJ-UR!FD0E7153869B
Cylance	Unsafe
Alibaba	Backdoor:MSIL/Kryptik.d3a8083f
Arcabit	Trojan.Bulz.D6F13A
BitDefenderTheta	Gen:NN.ZemsilF.34686.nm1@a0A!IYi
Cyren	W32/MSIL_Kryptik.EBW.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAQQ
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Bladabindi.gen
BitDefender	Gen:Variant.Bulz.454970
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Bulz.454970
Emsisoft	Trojan.Crypt (A)
DrWeb	Trojan.PackedNET.691
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
APEX	Malicious
MAX	malware (ai score=88)
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Backdoor.MSIL.Bladabindi.gen
GData	Gen:Variant.Bulz.454970
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Kryptik.C4443843
ALYac	Gen:Variant.Bulz.454970
Malwarebytes	Trojan.MalPack.MSIL
Ikarus	Trojan.Inject
Rising	Backdoor.Bladabindi!8.B1F (CLOUD)
SentinelOne	Static AI - Suspicious PE
eGambit	PE.Heur.InvalidSig
Fortinet	MSIL/Kryptik.AAQQ!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]

IMG_0540001825.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All