Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 12, 2021, 12:05 p.m.	May 12, 2021, 12:11 p.m.

Size	73.4KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`aa94a9e0f856bbe5195e5e721fe8b532`
SHA256	`c58c208bdc377b3cf83c446caa363113ac3c57a86fff19e5a5fdfd141c5eeea7`
CRC32	`F12CA7B3`
ssdeep	`1536:VwAv1gfhXAufYqCen9obUfCAOJVM9wjtvHw3uO7VesieQAKGqtbieQAKdh9Nu:VwDfZrobYdktvQ3N73QAWQA+G`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

mobii.txt "C:\Users\test22\AppData\Local\Temp\mobii.txt"
3576

Name	Response	Post-Analysis Lookup
ldvamlwhdpetnyn.ml	A 172.67.208.174 A 104.21.85.176	172.67.208.174

IP Address	Status	Action
104.21.85.176	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:57660 -> 164.124.101.2:53	2025106	ET INFO DNS Query for Suspicious .ml Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 12, 2021, 12:05 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 12, 2021, 12:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2021, 12:05 p.m.			0	0
IsDebuggerPresent May 12, 2021, 12:05 p.m.			0	0
IsDebuggerPresent May 12, 2021, 12:05 p.m.			0	0
IsDebuggerPresent May 12, 2021, 12:05 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2021, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064bd30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064bd70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2021, 12:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064bd70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2021, 12:05 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7D77BFB8D680A99A3DEC3EF11B63CBC1.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-00C6707A4C3680722D987A5BB7114B0B.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-307E578725C4F3AA44F824BA2753FDB2.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-16116FCB016B7CAA5050F3DB0E637327.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E2304DCD5B5C3352E705442E9DABC84C.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EEC279DBCBA0C0CE17E741F5C0B1F0BE.html
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E81034F64EBA344DC31E3E3D72E849B5.html

Performs some HTTP requests (7 events)

request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-7D77BFB8D680A99A3DEC3EF11B63CBC1.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-00C6707A4C3680722D987A5BB7114B0B.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-307E578725C4F3AA44F824BA2753FDB2.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-16116FCB016B7CAA5050F3DB0E637327.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E2304DCD5B5C3352E705442E9DABC84C.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-EEC279DBCBA0C0CE17E741F5C0B1F0BE.html
request	GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E81034F64EBA344DC31E3E3D72E849B5.html

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2021, 12:05 p.m.	process_identifier: 3576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 12, 2021, 12:05 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000de00', u'virtual_address': u'0x00002000', u'entropy': 6.812300408715494, u'name': u'.text', u'virtual_size': u'0x0000ddc4'}

entropy

6.81230040872

description

A section with a high entropy has been found

entropy

0.965217391304

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.aa94a9e0f856bbe5
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.7baba4
BitDefenderTheta	Gen:NN.ZemsilCO.34688.em2@amPIufki
Cyren	W32/MSIL_Kryptik.ECN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HVI
APEX	Malicious
Cynet	Malicious (score: 100)
McAfee-GW-Edition	PWS-FCYO!AA94A9E0F856
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Avira	HEUR/AGEN.1142886
Microsoft	Trojan:Win32/Wacatac.B!ml
McAfee	PWS-FCYO!AA94A9E0F856
Malwarebytes	Trojan.Downloader.MSIL
Rising	Downloader.Agent!8.B23 (CLOUD)
Yandex	Trojan.Agent!jemwtb+HDpM
Ikarus	Trojan.Inject
Fortinet	MSIL/Agent.HVC!tr.dldr

mobii.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All