Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2021, 10:14 a.m.	May 12, 2021, 10:19 a.m.

Size	34.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b84fafbb835c20e62de5a658cf6dc0c1`
SHA256	`2a479e0b285c52427f3c318b26ff02e82b205d85c6567956fa6eeae1ab8be235`
CRC32	`ACFC1A09`
ssdeep	`384:wviqseb+7lVKFLEF7HgcGH3gVQT1H6LP3lBYp7JI8Ed+4lBxSXDSX6SXhgSXSSXd:yF+WLNXQWZHoVeNEYehFJaH4x0n`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

silenthill.txt "C:\Users\test22\AppData\Local\Temp\silenthill.txt"
2444

Name	Response	Post-Analysis Lookup
asdcqwdwqx.gq	A 172.67.160.253 A 104.21.15.11	104.21.15.11

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.160.253	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62324 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 12, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 12, 2021, 10:14 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0
IsDebuggerPresent May 12, 2021, 10:14 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2021, 10:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 10:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 10:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00622ad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 10:14 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4F49A96AC6F3B36D6E19FA3DABB14F81.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EB86A9B74641CA3C83702B5FFCF938E0.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EAB9BAFC5F7E9E82AE180EFDAD75575B.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-63760867A0A2BA86953BF4C49B3AC736.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07E38B691A0D0DF5A4AA5DD7D917D1BC.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D7A739907814AA27BE574C07BC8A5CAC.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7A0F151B9D6915262056ECB168561B23.html

Performs some HTTP requests (7 events)

request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4F49A96AC6F3B36D6E19FA3DABB14F81.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EB86A9B74641CA3C83702B5FFCF938E0.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EAB9BAFC5F7E9E82AE180EFDAD75575B.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-63760867A0A2BA86953BF4C49B3AC736.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-07E38B691A0D0DF5A4AA5DD7D917D1BC.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D7A739907814AA27BE574C07BC8A5CAC.html
request	GET http://asdcqwdwqx.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7A0F151B9D6915262056ECB168561B23.html

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00800000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 10:14 a.m.	process_identifier: 2444 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 12, 2021, 10:14 a.m.	flags: 15 family: 0		111	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Bulz.421856
FireEye	Generic.mg.b84fafbb835c20e6
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
ALYac	Gen:Variant.Bulz.421856
Malwarebytes	Trojan.PCrypt.MSIL.Generic
Sangfor	Trojan.Win32.Save.a
Cyren	W32/MSIL_Kryptik.ECN.gen!Eldorado
Symantec	Downloader.Trojan
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HRK
APEX	Malicious
BitDefender	Gen:Variant.Bulz.421856
Ad-Aware	Gen:Variant.Bulz.421856
Emsisoft	Trojan-Downloader.Agent (A)
DrWeb	Trojan.DownloaderNET.155
McAfee-GW-Edition	PWS-FCSR!B84FAFBB835C
Ikarus	Trojan.MSIL.Inject
Avira	HEUR/AGEN.1142853
Microsoft	Trojan:MSIL/Agensla.GC!MTB
GData	Gen:Variant.Bulz.421856
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.R417060
McAfee	PWS-FCSR!B84FAFBB835C
MAX	malware (ai score=82)
Rising	Downloader.Agent!1.D296 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Agent.HSA!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.34688.cm0@a0AfOali

silenthill.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All