popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mo.exe

Generic Malware PE32 PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 21, 2021, 9 a.m. Aug. 21, 2021, 9:03 a.m.
Size 6.0KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c19e67355e7333e2d68b904fdcfdceec
SHA256 abb0ac59e0528e0323d12d411d508c2a2b1a9463f0c1036c382a1a8ee986bb2e
CRC32 2293B671
ssdeep 96:2TuRXkLoN9c5t5GgNWjXZtJdqYmdESOzNt:MXoqn1Wjps1M
PDB Path C:\Users\Administrator\AppData\Roaming\AEX6YE0WTh\obj\Debug\tonight.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
cdn.discordapp.com
A 162.159.135.233
A 162.159.134.233
A 162.159.129.233
A 162.159.130.233
A 162.159.133.233
162.159.135.233
IP Address Status Action
162.159.129.233 Active Moloch
164.124.101.2 Active Moloch
37.0.10.83 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49199 -> 162.159.129.233:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49200 -> 37.0.10.83:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 37.0.10.83:80 -> 192.168.56.101:49200 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 37.0.10.83:80 -> 192.168.56.101:49200 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 37.0.10.83:80 -> 192.168.56.101:49200 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49199
162.159.129.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: System.BadImageFormatException: ???? ???? '4361 bytes loaded from tonight, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ?? ??? ???? ?? ???? ???? ? ??? ??? ? ????. ????? ??? ???? ????? ????. ---> System.BadImageFormatException: IL ??? ???????. --- ?? ?? ?? ??? ? --- ??: System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, SecurityContextSource securityContextSource) ??: System.Reflection.Assembly.Load(Byte[] rawAssembly) ??: tonight.Program.Main(String[] args)
console_handle: 0x0000000b
1 1 0
pdb_path C:\Users\Administrator\AppData\Roaming\AEX6YE0WTh\obj\Debug\tonight.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://37.0.10.83/os/moses.exe
suspicious_features GET method with no useragent header suspicious_request GET https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
request GET http://37.0.10.83/os/moses.exe
request GET https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00910000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02250000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02390000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
host 37.0.10.83
Lionic Trojan.MSIL.Agensla.i!c
Elastic malicious (high confidence)
FireEye Generic.mg.c19e67355e7333e2
McAfee Artemis!C19E67355E73
Sangfor Trojan.Win32.Save.a
BitDefenderTheta Gen:NN.ZemsilF.34088.am0@aOg7jSn
Cyren W32/MSIL_Kryptik.FGY.gen!Eldorado
Symantec MSIL.Downloader!gen7
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
APEX Malicious
McAfee-GW-Edition Artemis!Trojan
MaxSecure Trojan.Malware.300983.susgen
Microsoft Program:Win32/Wacapew.C!ml
Avast Win32:PWSX-gen [Trj]
SentinelOne Static AI - Malicious PE
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)