Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2021, 9:18 a.m.	July 3, 2021, 9:25 a.m.

Size	59.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d83c2c4caf2fa8d32233d0cbc4322782`
SHA256	`371721d174fb4da7167a64d2469b8b9c4f9c4da386a7ef3a2d9da94b771755c7`
CRC32	`6002636C`
ssdeep	`1536:kPyiaKt76CYnXw6/cVkpOih1fcQJHH9sj5KGtRsc4L0u:oZYnXos1fci9skK/4L0u`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

file10.exe "C:\Users\test22\AppData\Local\Temp\file10.exe"
8452

Name	Response	Post-Analysis Lookup
d2js2viceajwla.cloudfront.net	AAAA 2600:9000:2139:9200:11:6feb:6f80:93a1 AAAA 2600:9000:2139:ae00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:f600:11:6feb:6f80:93a1 AAAA 2600:9000:2139:c000:11:6feb:6f80:93a1 AAAA 2600:9000:2139:9000:11:6feb:6f80:93a1 AAAA 2600:9000:2139:4400:11:6feb:6f80:93a1 AAAA 2600:9000:2139:7c00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:ec00:11:6feb:6f80:93a1	99.86.202.23
aus.thunderbird.net	A 99.86.202.67 A 99.86.202.75 A 99.86.202.125 A 99.86.202.23 CNAME d2js2viceajwla.cloudfront.net	99.86.202.75
kakosidobrosam.gq	A 104.21.67.197 A 172.67.180.37	172.67.180.37
prod.balrog.prod.cloudops.mozgcp.net	A 35.244.181.201	35.244.181.201
d2js2viceajwla.cloudfront.net	A 99.86.202.67 A 99.86.202.125 A 99.86.202.23 A 99.86.202.75	99.86.202.23
aus5.mozilla.org	A 35.244.181.201 CNAME balrog-aus5.r53-2.services.mozilla.com CNAME prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201
prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201

IP Address	Status	Action
104.21.67.197	Active	Moloch
164.124.101.2	Active	Moloch
35.244.181.201	Active	Moloch
99.86.144.100	Active	Moloch
99.86.144.46	Active	Moloch
99.86.144.61	Active	Moloch
99.86.144.82	Active	Moloch
99.86.202.125	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:50201 -> 164.124.101.2:53	2025104	ET INFO DNS Query for Suspicious .gq Domain	Potentially Bad Traffic
TCP 192.168.56.102:49321 -> 104.21.67.197:443	2025108	ET INFO Suspicious Domain (*.gq) in TLS SNI	Potentially Bad Traffic
TCP 192.168.56.102:49321 -> 104.21.67.197:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49321 104.21.67.197:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a2:99:7f:61:26:e9:24:3e:96:d0:98:83:eb:e0:35:eb:07:a8:19:f8
TLS 1.2 192.168.56.102:49323 99.86.202.125:443	C=US, O=Let's Encrypt, CN=R3	CN=thunderbird.net	dd:92:a0:f3:c5:f2:3a:c7:42:66:30:75:8a:b3:b3:03:6b:8c:df:9d
TLS 1.2 192.168.56.102:49324 35.244.181.201:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, CN=aus5.mozilla.org	37:1a:8a:6e:ae:e7:b7:ae:1f:a9:c0:87:53:e5:a0:94:ef:0b:de:0c

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 3, 2021, 9:18 a.m.			0	0
IsDebuggerPresent July 3, 2021, 9:18 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 3, 2021, 9:18 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 3, 2021, 9:18 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x70501194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x703d2ba1 mscorlib+0x2f45b0 @ 0x6f5a45b0 mscorlib+0x2f73b5 @ 0x6f5a73b5 mscorlib+0x2eeaf8 @ 0x6f59eaf8 mscorlib+0x2eea8f @ 0x6f59ea8f 0x745dca 0x7400d4 0x740076 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7036264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70362e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x704174ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70417610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x704a1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x704a1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x704a1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x704a416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x729af5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73727f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73724de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1829868 registers.edi: 0 registers.eax: 1829868 registers.ebp: 1829948 registers.edx: 0 registers.ebx: 6016112 registers.esi: 5349784 registers.ecx: 728193784	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 3, 2021, 9:18 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x70501194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x703d2ba1
mscorlib+0x2f45b0 @ 0x6f5a45b0
mscorlib+0x2f73b5 @ 0x6f5a73b5
mscorlib+0x2eeaf8 @ 0x6f59eaf8
mscorlib+0x2eea8f @ 0x6f59ea8f
0x745dca
0x7400d4
0x740076
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7036264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x70362e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x704174ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x70417610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x704a1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x704a1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x704a1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x704a416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x729af5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73727f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73724de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1829868
registers.edi: 0
registers.eax: 1829868
registers.ebp: 1829948
registers.edx: 0
registers.ebx: 6016112
registers.esi: 5349784
registers.ecx: 728193784

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C01EC4A57619A16E6AEAA0F47B55BDA9.html
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C4A8B2A795B9148BEAA8D315AA468649.html
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B70EB8889C1E5B3277197714B6942614.html
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4BE99CBE54A285D972B1192483666889.html
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-885F730E823499F80A764E9EC20A7875.html

Performs some HTTP requests (5 events)

request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C01EC4A57619A16E6AEAA0F47B55BDA9.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C4A8B2A795B9148BEAA8D315AA468649.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B70EB8889C1E5B3277197714B6942614.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4BE99CBE54A285D972B1192483666889.html
request	GET https://kakosidobrosam.gq/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-885F730E823499F80A764E9EC20A7875.html

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70352000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 3, 2021, 9:18 a.m.	process_identifier: 8452 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 3, 2021, 9:18 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000e400', u'virtual_address': u'0x00002000', u'entropy': 7.456477634475075, u'name': u'.text', u'virtual_size': u'0x0000e3f4'}

entropy

7.45647763448

description

A section with a high entropy has been found

entropy

0.966101694915

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (4 events)

host	99.86.144.100
host	99.86.144.46
host	99.86.144.61
host	99.86.144.82

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.d83c2c4caf2fa8d3
McAfee	Artemis!D83C2C4CAF2F
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:MSIL/Kryptik.799a8347
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34790.dm0@airtctmi
Cyren	W32/MSIL_Kryptik.ECN.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.IFL
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Emsisoft	Trojan.Crypt (A)
McAfee-GW-Edition	Artemis!Trojan
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Bomitag.D!ml
AegisLab	Trojan.MSIL.Stealer.l!c
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.Crypt.MSIL.Generic
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_92%
Fortinet	MSIL/Agent.IFL!tr.dldr
Cybereason	malicious.90782d
Qihoo-360	HEUR/QVM03.0.531B.Malware.Gen

file10.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All