popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

4bd5e746e9329d8ab41a7d4fbbc91dc9.exe

AsyncRAT Generic Malware GIF Format .NET DLL PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 3, 2021, 8:54 p.m. June 3, 2021, 9:04 p.m.
Size 1.1MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 a4c547cfac944ad816edf7c54bb58c5c
SHA256 2f158fe98389b164103a1c3aac49e10520dfd332559d64a546b65af7ef00cd5f
CRC32 D6FBA36B
ssdeep 24576:TGgoe5Q0nyofLPeHy2sjv7myfXrNXbjFveqqb:KwQ0nyoz3tvHLleBb
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
email.yg9.me 198.13.62.186
email.yg9.me
A 198.13.62.186
198.13.62.186
ol.gamegame.info
A 172.67.200.215
A 104.21.21.221
104.21.21.221
ip-api.com
A 208.95.112.1
208.95.112.1
iw.gamegame.info
A 104.21.21.221
A 172.67.200.215
172.67.200.215
IP Address Status Action
104.21.21.221 Active Moloch
164.124.101.2 Active Moloch
172.67.200.215 Active Moloch
198.13.62.186 Active Moloch
208.95.112.1 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49204 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
suspicious_features POST method with no referer header suspicious_request POST http://iw.gamegame.info/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST http://ol.gamegame.info/report7.4.php
request GET http://ip-api.com/json/?fields=8198
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
request POST http://iw.gamegame.info/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d40000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ca1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b94000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c81000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 596
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02050000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 596
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02130000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 596
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02260000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 596
region_size: 376832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00430000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 596
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 596
region_size: 307200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00af0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13724893184
free_bytes_available: 13724893184
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\install.dll
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\install.dll.lnk
file C:\Users\test22\AppData\Local\Temp\install.dll
file C:\Users\test22\AppData\Local\Temp\Newtonsoft.Json.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 596
1 1 0
process rundll32.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqž `¥X´²œ%qÍ 66 !6ÛI×p‚ñ⁗ÖE¯ËåÜ©ð"+  €„¤àF 3 ƒËN‚‰ „  ÊD†š•LZ`` ‚Ž ¸Fû @Aåæà!@‚ƒ†¤èNðö ðÀMx805Nv ”š”ðíFDÆÌ;G/îççÿçõtL) Ǝø%ÆS'çÔ–VÁ…J L€€CN­íÁ1àÖ:úÁÚÁ:¾… ÉÇÀúøú:NãíDPšÇÏÕÏÝ ÜǺ<ÜÿuÞˌŽÒåÃsޜT“RÀ”T€û{¦hÇ\ÚäÿoeeXËoì(ÀŸ…ò3úÉEvóóášÁ„]ItkÀÀÚÀèèíñHŀ{29yDBú“L#€ƒÄìÁƒÌç)âå ÍíÎh¥„_˜ À襮ä±U䨤*"âæ¹Xá4óˆÁ ú²l/ NHZ\Ãɬ¦âáôàûSkÀòñê àé)Ãë+ÀöïŒé,ÀÃ.åñûCu8(xÅáì¤hÎóè3öÁÌE‹ ,œÀ7c˨HÙp«‰»»#A*µêïséA¬€/A#Z“Œ ˆìp€HÃÆMH{#Ý%”aŒèu†ËYþàiôyè !Áé¦Æmèx}ãæñ=Éô/Ùè‹cŸx‰ŒT°ê9Øã·ÇüöÚóÖSçácÅå6áá“i6ê>®ÇV¢èÍE´d°äôðJJ‰úä }¹¼@@€hµ/r&ê­iÈÃR <yŽçˆê¼ô@±ôELwvH‰Õx,@ÁåH$XÁýP<PÁ©\Xav((hh­ˆêÃ)-ô‘ĈR©ê´aKØPՖᲞíb1s­*„KàëXщC Åö#Áo;0`8µøwdn"+À&öØ+óÛCàǯž§‰ÐáÈÁÎÿP5§:TŽ%!=+Ë +Æ'!D'}bw@Ëmît´‰ÃçH9a,ÇÿPdÃ÷<dlÁ € ŠˆKÁ‹H‹D Ëe!@!`ÇD2 åWpE†51ÇGæbB_ ! '„ÛÌÄÃ×x0)ypa!Ãv¶þ”Ëš’ÃrČ¥ó¶ƒÂuy·"¸!IØD'‚ë“™LA€ˆÑ.…æGiEH<šŠ„ 9xß^:¦ˆKI9™ˆIÃkô`P2¿L£&!ÃÂy oêš 6­–Àې†“„‘ ³˜~úŒ³;œVù°àó÷ó(ýÄó«z3@p0ŠÀKPÓI5êaö¢$€;:1º t¶øÊñy‡êä`²ÂùÄW~çïü´±¬³ùü9 1øÈ0Fj ,—Ä_¨PŸi ‘„µ³xyà‚¨ÂO‡ ‰4փsbR‚э•éå t¼Y—G¿êʝÃóE·êÀF“PEDB+y]\±çI·Ãž+‘ !ÞäQj¨98#®MÊ{¸ÃaZ£elñ"ŠÆDµs»¯•ŠgXÌÿ…s‚8ÇÈK ›µ!PutËՙ/£ˆÃLJÛ0ÈÄÐ\¬o0o=GSm0Ã߇»—ëöó<”¥+hS,µÊ$ûënŒÍ÷v€Àkψx£ŒUh)_!¾ˆ8éꄁEµg–MߤHHDpXÅÉ`DPt` |Áˆ1?/v`Á˜5ÇDŸgokg†ž<G‰^2Ìã/h|Á ¶uâE¯zš³@3;pµÂàâÂĤì꧴rf³µtRòÒ^®ø™G¶u[xtX@ÅÒ?gsP†Ÿ@G)_@öæ›ÈI² º‹½uÀ€‹GOÈI@È ápJRTØ[ÃįÈþUƒ‘Y˜ôóŒ+4o|\•Ëv°QCď§û„‰Ä¯êãeCÛH@j[3ÁÇT@#/ÌC€ÌA¶,Q\¨EáõãJ)s÷ç#Áâ±þ|³ÒሪАê؂BÛ~ôK­ù\/$Oh(ÀãðjusF‚¾â­v™\’pPS+ÈókH{Žd¢#Rgêê ¢²Ôt$6ò+º¡âz^7[ôû´îççUÍ×.qr`Òòn TLë±rOíAfË+€ŽY"$H؊)Kj‘ÞWWoo}µ–¡@ˉæÌ2Ë ÙAÅÁhrÓ~ê üô‘Eè'‹Õ|§»ýà#u71F¢é%(F'-µ ë a1ôïõÉ~³YÊC+‡„JkI¨…QƆ»?„pSƒ´ùê°EE¤¢¹» LDŸ·!AHþ„ûû¿ÔG” ˜û»K7ŒŒ€ƒ@NjܕÀâsQÀúCwÆñ³àŒ˜¥Ÿ-ó‰Âz¸‰£c‹{¼ÇiªÃbi Ž>8‹¹-MÍzð‹€AA‰Êkkž/rA¶¯ÀÒSEM‰òkUÈõt́ªìBGù»±¦T´†Ÿ™.9ÃÎE0|Ç@ĸúe(EÎMŽÁÍ`ø‰Â_œÅ vô÷ñ,÷Æ23³÷Õý“ªg"`œxòÑÎ…‹u`ZÁ—õáBÈ @#tèvñ•4 xD,Ü®Vi4EzB¨ÔL(^N…˜¤¦¢ÚÜIÄ·ÌHPò¸~tE"1÷mH¡}ðY¨8!TÿÛÍlÀiM <n>à‹É­b¹êGðóKéà OÁ1+€Ãšº¶æ“ÿ$sè’îS<$IîÞ¶+šºŒ À‡8Ø´6ó*ãÅÌeõ”ÍÍpyÏÜWÂZ8ã WF$=€JÁÅh,ğ””…™ÐHÁ™P؁"…&êǘ M`¥í(¸¹A"{Iµ¤T´Å²¸;‹‚ ¶\\By(€{ò‰HÐp4K¹ó0J;ŠæƒàEE2ߥÃJ…Ì$®&FöL½pL˓Љ»ðøµsþ‹àU2€zùuU$7ó+î´µÅú+ÖɍÏ-aŠØC8mv×Æ)O4x<«@¢_eX,l$bDoê…û³{QÊK…%
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Bkav W32.AIDetect.malware1
MicroWorld-eScan Trojan.GenericKD.36999918
FireEye Trojan.GenericKD.36999918
McAfee Artemis!A4C547CFAC94
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0057d44c1 )
Alibaba Trojan:Win32/GenKryptik.56b871bb
K7GW Trojan ( 0057d44c1 )
CrowdStrike win/malicious_confidence_80% (W)
Arcabit Trojan.Generic.D23492EE
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FFZO
TrendMicro-HouseCall TrojanSpy.Win32.GENKRYPTIK.USMANEU21
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Injector.gen
BitDefender Trojan.GenericKD.36999918
Avast FileRepMalware
Ad-Aware Trojan.GenericKD.36999918
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.Inject.dmret
DrWeb Trojan.PWS.Stealer.30513
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.GENKRYPTIK.USMANEU21
McAfee-GW-Edition Artemis!Trojan
Emsisoft Trojan.GenericKD.36999918 (B)
APEX Malicious
Avira TR/AD.Inject.dmret
MAX malware (ai score=81)
Microsoft Trojan:Win32/Vigorf.A
AegisLab Trojan.Win32.Generic.4!c
ZoneAlarm HEUR:Trojan.Win32.Injector.gen
GData Trojan.GenericKD.36999918
Cynet Malicious (score: 99)
AhnLab-V3 Trojan/Win.Generic.R423337
ALYac Trojan.GenericKD.46383033
Malwarebytes Malware.AI.3526486289
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Ikarus Trojan.Win32.Krypt
Fortinet W32/GenKryptik.FFZO!tr
AVG FileRepMalware
Panda Trj/CI.A