popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

htown.exe

Ave Maria NPKI WARZONE RAT Malicious Library Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 21, 2021, 8:50 a.m. Aug. 21, 2021, 8:52 a.m.
Size 113.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6452a476398bc73e815078a0342425f6
SHA256 7f6b099267911103a2ed4968d73900bbdc667fde2d574fe8300f891a25a33f55
CRC32 F08762F3
ssdeep 1536:h0jP7/L1B5rVmN8sxHv2M28ix8EUaJxWZoB4u0OVE01:K1VmhaH8EFvW+0OVE0
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • Ave_Maria_Zero - Remote Access Trojan that is also called WARZONE RAT
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer

Name Response Post-Analysis Lookup
googleservers.org
A 162.248.225.143
162.248.225.143
IP Address Status Action
162.248.225.143 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name WM_DSP
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
htown+0x3626 @ 0x1213626
htown+0x1145b @ 0x122145b
htown+0x13649 @ 0x1223649
htown+0x5d61 @ 0x1215d61
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 0f b7 01 66 89 02 41 41 42 42 66 85 c0 75 f1 c7
exception.symbol: lstrcpyW+0x16 IsBadStringPtrA-0x5b kernel32+0x33118
exception.instruction: movzx eax, word ptr [ecx]
exception.module: kernel32.dll
exception.exception_code: 0xc0000005
exception.offset: 209176
exception.address: 0x76a63118
registers.esp: 2684216
registers.edi: 2684356
registers.eax: 2684240
registers.ebp: 2684256
registers.edx: 46333952
registers.ebx: 2684496
registers.esi: 2684512
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x034d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2528
region_size: 540672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2669294
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10933403648
free_bytes_available: 10933403648
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
name WM_DSP language LANG_ENGLISH filetype PE32 executable (GUI) Intel 80386, for MS Windows sublanguage SUBLANG_ARABIC_QATAR offset 0x0014f070 size 0x00002c00
cmdline C:\Windows\System32\cmd.exe
wmi
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1220
thread_handle: 0x000001e4
process_identifier: 2104
current_directory:
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line:
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000001f0
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00490000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000001f8
1 0 0

NtProtectVirtualMemory

 process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00490000
process_handle: 0x000001f8
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: U‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,m"d¿“ðÜ
base_address: 0x00490000
process_identifier: 2104
process_handle: 0x000001f8
1 1 0

WriteProcessMemory

 buffer: à C:\Users\test22\AppData\Local\Temp\htown.exe€§;·tè<õ(<õ(P,gu|,guÁ¿s`Äõ(Ã$€igÿÿÿÿÿäô(Èõ(Àü(à^iu22þÿÿÿ|,gu 5guè
base_address: 0x004a0000
process_identifier: 2104
process_handle: 0x000001f8
1 1 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
file C:\Users\test22\AppData\Local\Temp\:Zone.Identifier
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Agentb.trG2
Elastic malicious (high confidence)
MicroWorld-eScan DeepScan:Generic.Malware.SLl!prn!g.2E3319BA
FireEye Generic.mg.6452a476398bc73e
CAT-QuickHeal Trojan.IGENERIC
Qihoo-360 Win32/Backdoor.Remcos.HxQBXhEA
McAfee GenericRXLJ-HT!6452A476398B
Cylance Unsafe
Zillya Trojan.Agent.Win32.1391531
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0054d10e1 )
Alibaba Backdoor:Win32/Agentb.1f99447b
K7GW Trojan ( 0054d10e1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit DeepScan:Generic.Malware.SLl!prn!g.2E3319BA
Cyren W32/Antiav.INDT-0919
Symantec Infostealer
ESET-NOD32 Win32/Agent.TJS
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.AveMaria-8799014-1
Kaspersky Trojan.Win32.Agentb.jiad
BitDefender DeepScan:Generic.Malware.SLl!prn!g.2E3319BA
NANO-Antivirus Trojan.Win32.AntiAV.fljpfv
Avast Win32:Malware-gen
Tencent Malware.Win32.Gencirc.10ce4ea1
Ad-Aware DeepScan:Generic.Malware.SLl!prn!g.2E3319BA
Sophos Mal/Generic-R
Comodo TrojWare.Win32.AntiAV.VA@81mmki
DrWeb Trojan.PWS.Maria.3
TrendMicro TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition BehavesLike.Win32.Dropper.ch
Emsisoft Trojan.Agent (A)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Agentb.eab
Avira TR/Redcap.ghjpt
MAX malware (ai score=100)
Antiy-AVL Trojan/Generic.ASMalwS.2A11D98
Gridinsoft Trojan.Win32.Agent.oa!s1
Microsoft Backdoor:Win32/Remcos!MTB
ViRobot Trojan.Win32.Agent.1392640.E
GData Win32.Backdoor.AveMaria.A
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.AveMaria.R263895
VBA32 Trojan.Agentb
ALYac DeepScan:Generic.Malware.SLl!prn!g.2E3319BA
Malwarebytes AveMaria.Backdoor.Stealer.DDS
Zoner Trojan.Win32.96822
TrendMicro-HouseCall TrojanSpy.Win32.MOCRT.SM