popup
procMemory | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Process Memory

Process memory dump for bobbyzx.exe (PID 1348, dump 1)

Extracted/injected images (may contain unpacked executables)
Download #1

Yara signatures matches on process memory

Match: Network_DNS

  • Z2V0aG9zdGJ5bmFtZQ== (gethostbyname)
  • d3NvY2szMi5kbGw= (wsock32.dll)

Match: infoStealer_ftpClients_Zero

  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)

Match: Network_TCP_Socket

  • V1NBU3RhcnR1cA== (WSAStartup)
  • Y29ubmVjdA== (connect)
  • Y2xvc2Vzb2NrZXQ= (closesocket)
  • c29ja2V0 (socket)
  • c2VuZA== (send)
  • d3NvY2szMi5kbGw= (wsock32.dll)

Match: Win32_PWS_Loki_Zero

  • TWFydGluIFByaWtyeWw= (Martin Prikryl)
  • UHVUVFlcU2Vzc2lvbnM= (PuTTY\Sessions)

Match: Escalate_priviledges

  • QWRqdXN0VG9rZW5Qcml2aWxlZ2Vz (AdjustTokenPrivileges)
  • YWR2YXBpMzIuZGxs (advapi32.dll)

Match: Win_Trojan_agentTesla_Zero

  • Q3JlYXRlVGhyZWFk (CreateThread)
  • RlRQV2FyZVxDT1JFRlRQXFNpdGVz (FTPWare\COREFTP\Sites)
  • T3BlblByb2Nlc3M= (OpenProcess)
  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)

Match: infoStealer_emailClients_Zero

  • U29mdHdhcmVcUmltQXJ0c1xCMlxTZXR0aW5ncw== (Software\RimArts\B2\Settings)
  • UHJvZmlsZXNcT3V0bG9vaw== (Profiles\Outlook)

Match: ScreenShot

  • Qml0Qmx0 (BitBlt)
  • Z2RpMzIuZGxs (gdi32.dll)
  • dXNlcjMyLmRsbA== (user32.dll)

Match: local_credential_Steal

  • Q3JlZEVudW1lcmF0ZUE= (CredEnumerateA)
  • U29mdHdhcmVcTWljcm9zb2Z0XEludGVybmV0IEFjY291bnQgTWFuYWdlcg== (Software\Microsoft\Internet Account Manager)

Match: PWS_CnC_memory_Zero

  • Z2F0ZS5waHA= (gate.php)

Match: DebuggerCheck__GlobalFlags

  • TnRHbG9iYWxGbGFncw== (NtGlobalFlags)

Match: DebuggerCheck__QueryInfo

  • UXVlcnlJbmZvcm1hdGlvblByb2Nlc3M= (QueryInformationProcess)

Match: DebuggerHiding__Thread

  • U2V0SW5mb3JtYXRpb25UaHJlYWQ= (SetInformationThread)

Match: DebuggerHiding__Active

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)

Match: ThreadControl__Context

  • U2V0VGhyZWFkQ29udGV4dA== (SetThreadContext)

Match: SEH__vectored

  • QWRkVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (AddVectoredExceptionHandler)
  • UmVtb3ZlVmVjdG9yZWRFeGNlcHRpb25IYW5kbGVy (RemoveVectoredExceptionHandler)

Match: anti_dbg

  • RGVidWdBY3RpdmVQcm9jZXNz (DebugActiveProcess)
  • S0VSTkVMMzIuRExM (KERNEL32.DLL)
  • a2VybmVsMzIuZGxs (kernel32.dll)

Match: disable_dep

  • TnRTZXRJbmZvcm1hdGlvblByb2Nlc3M= (NtSetInformationProcess)
  • WndQcm90ZWN0VmlydHVhbE1lbW9yeQ== (ZwProtectVirtualMemory)

Match: Persistence

  • U3lzdGVtLmluaQ== (System.ini)
  • d2luLmluaQ== (win.ini)

URLs found in process memory 
    http://manvim.co/ae1/gate.php
    http://manvim.co/ae1/AE1.php
    http://www.ibsensoftware.com/