Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 10:28 a.m.	July 30, 2021, 10:41 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`096fc2ac3b2337b2293a9f64a8bc06c7`
SHA256	`d632932299301c0e00fb74d348ebca88a6a5d0636abbe4994c9a0c7dc6e8ecfa`
CRC32	`679DF985`
ssdeep	`12288:qkuptkoPRJ832h4dYSfXJVV9LaNezOqro0LAemY1cPPXPwW2PCxBalUENp0sVUE:qkA83V97V9sezlrozY17Nv`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

0GTTI98V0N.exe "C:\Users\test22\AppData\Local\Temp\0GTTI98V0N.exe"
2216

Name	Response	Post-Analysis Lookup
duckyu.biz	A 178.208.83.29	178.208.83.29
freegeoip.app	A 104.21.19.200 A 172.67.188.154	104.21.19.200
api.my-ip.io	A 157.245.5.40	157.245.5.40

IP Address	Status	Action
157.245.5.40	Active	Moloch
164.124.101.2	Active	Moloch
172.67.188.154	Active	Moloch
178.208.83.29	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2027863	ET INFO Observed DNS Query to .biz TLD	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 178.208.83.29:80	2029754	ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2	Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 172.67.188.154:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 157.245.5.40:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49201 172.67.188.154:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b4:1d:91:d8:54:ad:34:b6:35:88:c9:90:a4:e5:95:8d:b0:d1:ec:05
TLSv1 192.168.56.101:49203 157.245.5.40:443	C=US, O=Let's Encrypt, CN=R3	CN=my-ip.io	b3:dc:f4:67:05:b9:90:dd:97:12:85:19:f9:4e:a1:95:0b:15:ee:08

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 30, 2021, 10:29 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0
IsDebuggerPresent July 30, 2021, 10:28 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2021, 10:28 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 30, 2021, 10:30 a.m.	stacktrace: 0x7fe91e82cc8 0x7fe91e82758 0x7fe91e65377 0x7fe91e64f14 mscorlib+0x53407e @ 0x7fef02d407e mscorlib+0x4ef8a5 @ 0x7fef028f8a5 mscorlib+0x4ef609 @ 0x7fef028f609 mscorlib+0x533e55 @ 0x7fef02d3e55 mscorlib+0x533c75 @ 0x7fef02d3c75 mscorlib+0x49b82a @ 0x7fef023b82a CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b DestroyAssemblyConfigCookie+0x2123d PreBindAssembly-0x613 clr+0x1027c1 @ 0x7fef14227c1 DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef1416d80 DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef1416d0e DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef1416c85 DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef1416dbb DestroyAssemblyConfigCookie+0x211a4 PreBindAssembly-0x6ac clr+0x102728 @ 0x7fef1422728 DestroyAssemblyConfigCookie+0x1834b PreBindAssembly-0x9505 clr+0xf98cf @ 0x7fef14198cf DestroyAssemblyConfigCookie+0x1824f PreBindAssembly-0x9601 clr+0xf97d3 @ 0x7fef14197d3 StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef14a66ae BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521 exception.instruction_r: 80 38 00 48 8b 4d 38 48 8b 55 40 e8 e8 3e 31 5e exception.instruction: cmp byte ptr [rax], 0 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x7fe91e82cc8 registers.r14: 0 registers.r15: 0 registers.rcx: 2 registers.rsi: 0 registers.r10: 39180144 registers.rbx: 0 registers.rsp: 479721984 registers.r11: 483080976 registers.r8: 39179752 registers.r9: 8791534055136 registers.rdx: 39179752 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 30, 2021, 10:30 a.m.

stacktrace:

0x7fe91e82cc8
0x7fe91e82758
0x7fe91e65377
0x7fe91e64f14
mscorlib+0x53407e @ 0x7fef02d407e
mscorlib+0x4ef8a5 @ 0x7fef028f8a5
mscorlib+0x4ef609 @ 0x7fef028f609
mscorlib+0x533e55 @ 0x7fef02d3e55
mscorlib+0x533c75 @ 0x7fef02d3c75
mscorlib+0x49b82a @ 0x7fef023b82a
CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef136f713
CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef136f242
CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef136f30b
DestroyAssemblyConfigCookie+0x2123d PreBindAssembly-0x613 clr+0x1027c1 @ 0x7fef14227c1
DestroyAssemblyConfigCookie+0x157fc PreBindAssembly-0xc054 clr+0xf6d80 @ 0x7fef1416d80
DestroyAssemblyConfigCookie+0x1578a PreBindAssembly-0xc0c6 clr+0xf6d0e @ 0x7fef1416d0e
DestroyAssemblyConfigCookie+0x15701 PreBindAssembly-0xc14f clr+0xf6c85 @ 0x7fef1416c85
DestroyAssemblyConfigCookie+0x15837 PreBindAssembly-0xc019 clr+0xf6dbb @ 0x7fef1416dbb
DestroyAssemblyConfigCookie+0x211a4 PreBindAssembly-0x6ac clr+0x102728 @ 0x7fef1422728
DestroyAssemblyConfigCookie+0x1834b PreBindAssembly-0x9505 clr+0xf98cf @ 0x7fef14198cf
DestroyAssemblyConfigCookie+0x1824f PreBindAssembly-0x9601 clr+0xf97d3 @ 0x7fef14197d3
StrongNameSignatureVerification+0x5a22 GetCLRFunction-0x7712 clr+0x1866ae @ 0x7fef14a66ae
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: 80 38 00 48 8b 4d 38 48 8b 55 40 e8 e8 3e 31 5e
exception.instruction: cmp byte ptr [rax], 0
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7fe91e82cc8
registers.r14: 0
registers.r15: 0
registers.rcx: 2
registers.rsi: 0
registers.r10: 39180144
registers.rbx: 0
registers.rsp: 479721984
registers.r11: 483080976
registers.r8: 39179752
registers.r9: 8791534055136
registers.rdx: 39179752
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://freegeoip.app/xml/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.my-ip.io/ip
suspicious_features	GET method with no useragent header	suspicious_request	GET http://duckyu.biz/corona//image.png
suspicious_features	GET method with no useragent header	suspicious_request	GET https://freegeoip.app/xml/
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.my-ip.io/ip

Performs some HTTP requests (5 events)

request	GET http://freegeoip.app/xml/
request	GET http://api.my-ip.io/ip
request	GET http://duckyu.biz/corona//image.png
request	GET https://freegeoip.app/xml/
request	GET https://api.my-ip.io/ip

Allocates read-write-execute memory (usually to unpack itself) (50 out of 289 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1321000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef19bb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002050000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1322000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1324000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91bac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 897024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91d31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009b0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000009b2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 30, 2021, 10:28 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a53000 process_handle: 0xffffffffffffffff	1

A process attempted to delay the analysis task. (1 event)

description

0GTTI98V0N.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds

Steals private information from local Internet browsers (50 out of 84 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Bookmarks
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Bookmarks

Executes one or more WMI queries (4 events)

wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
wmi	SELECT Name FROM Win32_VideoController
wmi	SELECT ProcessorId FROM Win32_Processor
wmi	SELECT Name FROM Win32_Processor

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 30, 2021, 10:28 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 30, 2021, 10:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Executes one or more WMI queries which can be used to identify virtual machines (3 events)

wmi	SELECT ProcessorId FROM Win32_Processor
wmi	SELECT Name FROM Win32_Processor
wmi	SELECT TotalPhysicalMemory FROM Win32_ComputerSystem

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\Filezilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\Filezilla\recentservers.xml

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	GenericRXOC-TV!096FC2AC3B23
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Spyware ( 005690661 )
Alibaba	Ransom:Win32/Apocalypse.2c3a46be
K7GW	Spyware ( 005690661 )
Cybereason	malicious.c3b233
Arcabit	Trojan.Cerbu.D1A0DF
Cyren	W32/MSIL_Stealer.B.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Spy.Agent.DIG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Gen:Variant.Cerbu.106719
MicroWorld-eScan	Gen:Variant.Cerbu.106719
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan.Bulz.Fsh
Ad-Aware	Gen:Variant.Cerbu.106719
DrWeb	Trojan.PWS.Stealer.30590
TrendMicro	Ransom_FileCryptor.R002C0DGN21
McAfee-GW-Edition	GenericRXOC-TV!096FC2AC3B23
FireEye	Generic.mg.096fc2ac3b2337b2
Emsisoft	Gen:Variant.Cerbu.106719 (B)
Ikarus	Trojan.MSIL.Spy
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1143400
eGambit	Unsafe.AI_Score_99%
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Ransom:Win32/Apocalypse
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Gen:Variant.Cerbu.106719
AhnLab-V3	Trojan/Win.Generic.R418661
VBA32	TScope.Trojan.MSIL
ALYac	Gen:Variant.Cerbu.106719
MAX	malware (ai score=82)
Malwarebytes	Spyware.ApocalypseStealer
TrendMicro-HouseCall	Ransom_FileCryptor.R002C0DGN21
Yandex	TrojanSpy.Agent!l9m0AUjrhb8
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Stealer.CYF!tr
BitDefenderTheta	Gen:NN.ZemsilF.34050.an0@a0m6Len
AVG	Win32:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Ransom.Generic.HwMA0PcA

0GTTI98V0N.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All