Summary | ZeroBOX

js.exe

Generic Malware PE32 PE File .NET EXE
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 21, 2021, 9 a.m. Aug. 21, 2021, 9:08 a.m.
Size 6.0KB
Type PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 1429db94406815eaa9cf34236f480f4a
SHA256 1ba83ab6f009f73bcdf5114e31a0e2959bee3c8ce049d9a562c9d04ce6cdc11f
CRC32 CF975176
ssdeep 96:jiRXkLoN9c5t5GgN3cAjXZtJuqYmdESOzNt:Poqn13JjpV1M
PDB Path C:\Users\Administrator\AppData\Roaming\AEX6YE0WTh\obj\Debug\tonight.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

IP Address Status Action
162.159.130.233 Active Moloch
164.124.101.2 Active Moloch
37.0.10.83 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49197 -> 162.159.130.233:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49198 -> 37.0.10.83:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 37.0.10.83:80 -> 192.168.56.101:49198 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 37.0.10.83:80 -> 192.168.56.101:49198 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 37.0.10.83:80 -> 192.168.56.101:49198 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49197
162.159.130.233:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 54:e1:a7:9d:cc:c8:60:86:f1:a5:da:74:0e:5a:ab:45:df:37:8a:78

Time & API Arguments Status Return Repeated

GetComputerNameA

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

buffer: System.BadImageFormatException: ???? ???? '4361 bytes loaded from tonight, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ?? ??? ???? ?? ???? ???? ? ??? ??? ? ????. ????? ??? ???? ????? ????. ---> System.BadImageFormatException: IL ??? ???????. --- ?? ?? ?? ??? ? --- ??: System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, SecurityContextSource securityContextSource) ??: System.Reflection.Assembly.Load(Byte[] rawAssembly) ??: tonight.Program.Main(String[] args)
console_handle: 0x0000000b
1 1 0
pdb_path C:\Users\Administrator\AppData\Roaming\AEX6YE0WTh\obj\Debug\tonight.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://37.0.10.83/os/justin.exe
suspicious_features GET method with no useragent header suspicious_request GET https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
request GET http://37.0.10.83/os/justin.exe
request GET https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00615000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0061b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00617000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00607000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00606000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0060b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
host 37.0.10.83
Elastic malicious (high confidence)
FireEye Generic.mg.1429db94406815ea
Sangfor Trojan.Win32.Save.a
Cyren W32/MSIL_Kryptik.FGY.gen!Eldorado
Symantec MSIL.Downloader!gen7
APEX Malicious
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
Avast Win32:PWSX-gen [Trj]
MaxSecure Trojan.Malware.300983.susgen
Cynet Malicious (score: 100)
BitDefenderTheta Gen:NN.ZemsilF.34088.am0@aKP6Abm
SentinelOne Static AI - Malicious PE
AVG Win32:PWSX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)