Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 12, 2021, 2:46 p.m.	Sept. 12, 2021, 3:05 p.m.

Size	5.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6a55f0aa7770e3a0b95f916adb8f107e`
SHA256	`b24fdc796b9d77b40e8d0d4e580515747339914616ed48bb7c7cca887216b7d1`
CRC32	`F51F2C07`
ssdeep	`48:6PaOFDQN/4+tWqMtJfb9X0z6tPrSOula04q8pfbNtm:dACjP6tAc04zNt`
PDB Path	C:\Users\Admin\Desktop\Ð¿ÑÐ¾ÐµÐºÑÑ\work project\pastebinload2\obj\Debug\pastebinload.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description)

f.exe "C:\Users\test22\AppData\Local\Temp\f.exe"
1896

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.23.99.190 A 104.23.98.190	104.23.98.190
cryptorelated.net	A 31.31.198.223	31.31.198.223
iplogger.org	A 88.99.66.31	88.99.66.31

IP Address	Status	Action
104.23.99.190	Active	Moloch
164.124.101.2	Active	Moloch
31.31.198.223	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49200 -> 104.23.99.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49206 -> 31.31.198.223:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49200 104.23.99.190:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49203 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 12, 2021, 2:46 p.m.			0	0
IsDebuggerPresent Sept. 12, 2021, 2:46 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\Desktop\Ð¿ÑÐ¾ÐµÐºÑÑ\work project\pastebinload2\obj\Debug\pastebinload.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 12, 2021, 2:46 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://pastebin.com/raw/VJWK0vZ5
suspicious_features	GET method with no useragent header	suspicious_request	GET http://cryptorelated.net/CurrencyCalculatorInstaller.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/VJWK0vZ5
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.org/1Wa9p7

Performs some HTTP requests (4 events)

request	GET http://pastebin.com/raw/VJWK0vZ5
request	GET http://cryptorelated.net/CurrencyCalculatorInstaller.exe
request	GET https://pastebin.com/raw/VJWK0vZ5
request	GET https://iplogger.org/1Wa9p7

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 12, 2021, 2:46 p.m.	process_identifier: 1896 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 12, 2021, 2:46 p.m.	flags: 15 family: 0		111	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.MSIL.Stealer.l!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37561425
FireEye	Generic.mg.6a55f0aa7770e3a0
ALYac	Trojan.GenericKD.37561425
Cylance	Unsafe
K7AntiVirus	Trojan-Downloader ( 00581f171 )
Alibaba	TrojanSpy:MSIL/Stealer.b5f8dfbc
K7GW	Trojan-Downloader ( 00581f171 )
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZemsilF.34142.am0@ayyZojh
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.HMS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.37561425
Avast	Win32:CrypterX-gen [Trj]
Tencent	Msil.Trojan-spy.Stealer.Wpjp
Ad-Aware	Trojan.GenericKD.37561425
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.37561425 (B)
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanSpy.MSIL.bswo
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1141408
MAX	malware (ai score=87)
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Trojan.GenericKD.37561425
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4629777
McAfee	Artemis!6A55F0AA7770
Malwarebytes	Trojan.Downloader
Rising	Trojan.IPLogger!1.B69D (CLASSIC)
Ikarus	Trojan-Downloader.MSIL.Agent
eGambit	Unsafe.AI_Score_96%
Fortinet	W32/Stealer.HMS!tr
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.a7770e
Panda	Trj/CI.A
MaxSecure	Trojan.Malware.300983.susgen

f.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All