Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 11, 2021, 12:06 p.m.	June 11, 2021, 12:08 p.m.

Size	43.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a8bad974ed7bdca87535e3676de4f48d`
SHA256	`1b3f3c97db594417cdb5a16a94b730768d922e92d848be4e5adcd778668a04c9`
CRC32	`0E918974`
ssdeep	`384:8ehsYKGBws6MRYWMEI7TXkBqcxq4J6ZLfNpvwEwq6uxnca9VZJMcwq6uEiYskBVU:8LsRWA9xq26ZrncoJsgn`
PDB Path	C:\Users\Administrator\Desktop\PassPrm\obj\Debug\PassPrm.pdb
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

PassPrm.exe "C:\Users\test22\AppData\Local\Temp\PassPrm.exe"
112

Name	Response	Post-Analysis Lookup
matix.cf

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:55450 -> 164.124.101.2:53	2025107	ET INFO DNS Query for Suspicious .cf Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 11, 2021, 12:06 p.m.			0	0
IsDebuggerPresent June 11, 2021, 12:06 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\PassPrm\obj\Debug\PassPrm.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 11, 2021, 12:06 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71fb2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 11, 2021, 12:06 p.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

PassPrm.exe tried to sleep 150 seconds, actually delayed analysis time by 150 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 11, 2021, 12:06 p.m.	flags: 15 family: 0		111	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

MicroWorld-eScan	Trojan.GenericKD.46358460
FireEye	Trojan.GenericKD.46358460
CAT-QuickHeal	Trojan.MSIL
McAfee	RDN/Generic.rp
Cylance	Unsafe
Zillya	Trojan.Injuke.Win32.20467
Sangfor	Trojan.MSIL.Injuke.gen
Alibaba	Trojan:Win32/Injuke.54c9e919
Arcabit	Trojan.Generic.D2C35FBC
Cyren	W32/Trojan.NVMV-9222
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.FLBDJTL
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	HEUR:Trojan.MSIL.Injuke.gen
BitDefender	Trojan.GenericKD.46358460
NANO-Antivirus	Trojan.Win32.Injuke.ivresi
Paloalto	generic.ml
AegisLab	Trojan.MSIL.Injuke.4!c
Tencent	Msil.Trojan.Injuke.Lorq
Ad-Aware	Trojan.GenericKD.46358460
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PET21
McAfee-GW-Edition	RDN/Generic.rp
Emsisoft	Trojan.GenericKD.46358460 (B)
Jiangmin	Trojan.MSIL.aabpc
Avira	TR/Redcap.sasln
Microsoft	Trojan:Win32/Woreflint.A!cl
GData	Trojan.GenericKD.46358460
Cynet	Malicious (score: 99)
MAX	malware (ai score=84)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Malware.AI.28357507
TrendMicro-HouseCall	TROJ_GEN.R002C0PET21
Ikarus	Trojan.SuspectCRC
Fortinet	PossibleThreat
MaxSecure	Trojan.Malware.74181957.susgen
AVG	Win32:Trojan-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)

PassPrm.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All