Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 6, 2021, 9:13 a.m.	July 6, 2021, 9:24 a.m.

Size	349.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4c35b1756289e507682aa375acda9978`
SHA256	`35ff4deae0c490da9ad29de5ebdfd852e4ef514987598e826921bee6da5edc77`
CRC32	`36175125`
ssdeep	`6144:vKMJx4pweP7kJS3iwwGuIp7zWRPtr6nvPv6xWinKbxocOYKlFUtEM5zkq9N:vKoSznnv6MinPrFUtEM5Qq9N`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

schtasks.exe "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\test22\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
6028
Client.exe "C:\Users\test22\AppData\Roaming\SubDir\Client.exe"
8920

Name	Response	Post-Analysis Lookup
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
142.250.204.99	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
208.95.112.1	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49809 -> 142.250.204.99:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49811	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49811	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49812 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 34.104.35.123:80 -> 192.168.56.102:49811	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49809 142.250.204.99:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	93:fa:f9:a9:e2:b2:78:60:e7:0a:4f:ea:4d:dc:39:34:4b:5b:39:e5

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 6, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 6, 2021, 9:24 a.m.			0	0
IsDebuggerPresent July 6, 2021, 9:24 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW July 6, 2021, 9:24 a.m.	buffer: SUCCESS: The scheduled task "Windows Defender" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 6, 2021, 9:24 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:3189466841&cup2hreq=8da3bd52bf51348db8b2f9beef77253575709e1202bdde10270392b5354e1752

Performs some HTTP requests (4 events)

request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	GET http://ip-api.com/json/
request	POST https://update.googleapis.com/service/update2?cup2key=10:3189466841&cup2hreq=8da3bd52bf51348db8b2f9beef77253575709e1202bdde10270392b5354e1752

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:3189466841&cup2hreq=8da3bd52bf51348db8b2f9beef77253575709e1202bdde10270392b5354e1752

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f502000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 9:24 a.m.	process_identifier: 8920 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Looks up the external IP address (1 event)

domain

ip-api.com

Communicates with host for which no DNS query was performed (2 events)

host	142.250.204.99
host	172.217.25.14

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Generic.MSIL.PasswordStealerA.5C6358E6
CAT-QuickHeal	Trojan.MsilFC.S19436435
Qihoo-360	Win32/Backdoor.Quasar.HwMAYkAA
ALYac	Generic.MSIL.PasswordStealerA.5C6358E6
Cylance	Unsafe
Zillya	Trojan.Agent.Win32.860617
Sangfor	Win.Malware.Generic-6623004-0
K7AntiVirus	Trojan ( 00521dab1 )
Alibaba	Backdoor:MSIL/Quasar.9ce282be
K7GW	Trojan ( 00521dab1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Generic.MSIL.PasswordStealerA.5C6358E6
Cyren	W32/MSIL_Mintluks.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.AES
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Generic-6623004-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Generic
BitDefender	Generic.MSIL.PasswordStealerA.5C6358E6
SUPERAntiSpyware	Trojan.Agent/Gen-PasswordStealer
Avast	MSIL:Rat-B [Trj]
Tencent	Msil.Trojan-spy.Generic.Pdmj
Ad-Aware	Generic.MSIL.PasswordStealerA.5C6358E6
Emsisoft	Generic.MSIL.PasswordStealerA.5C6358E6 (B)
F-Secure	Heuristic.HEUR/AGEN.1135947
DrWeb	BackDoor.Quasar.1
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TSPY_TINCLEX.SM1
McAfee-GW-Edition	BehavesLike.Win32.Generic.fh
FireEye	Generic.mg.4c35b1756289e507
Sophos	Mal/Generic-R + Troj/NanoCor-BT
Ikarus	Trojan.MSIL.Spy
Webroot	W32.Gen.BT
Avira	HEUR/AGEN.1135947
Antiy-AVL	Trojan/Generic.ASMalwS.1B7B1E3
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Backdoor:MSIL/Quasar.GG!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Generic
GData	Generic.MSIL.PasswordStealerA.5C6358E6
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Inject.C1531898
Acronis	suspicious
McAfee	GenericRXAG-LA!4C35B1756289
MAX	malware (ai score=89)
VBA32	TScope.Trojan.MSIL
Malwarebytes	Generic.Trojan.Dropper.DDS
TrendMicro-HouseCall	TSPY_TINCLEX.SM1
Rising	Backdoor.XRat!1.D01D (CLASSIC)

Client-built.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All