Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 19, 2021, 11:24 a.m.	Sept. 19, 2021, 11:35 a.m.

Size	629.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ff1b657f20e7afc8202a40d189cdae59`
SHA256	`9e5d79a5c4d56511b27b25b7c4ddb73e8c10c15168676b90291b8ba66a6239c4`
CRC32	`331059F6`
ssdeep	`12288:vYxaM8KuQROymUjV89Qbq+SNycbu4XqRG1GUqy:XjQwyhVy0WrVN`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

list.exe "C:\Users\test22\AppData\Local\Temp\list.exe"
2088
- list.exe "C:\Users\test22\AppData\Local\Temp\list.exe"
  2264

Name	Response	Post-Analysis Lookup
www.wireconnectaz.tech	CNAME wireconnectaz.tech A 153.92.220.18	153.92.220.18
www.richesosity.online	A 172.67.178.47 A 104.21.35.179	172.67.178.47
www.atjehtimur.com	CNAME atjehtimur.com A 103.253.212.244	103.253.212.244
www.estherestates.online	CNAME estherestates.online A 34.102.136.180	34.102.136.180
www.chowding.com	A 198.50.252.64	198.50.252.64
www.casino-virtuali.net	A 104.21.61.65 A 172.67.206.242	172.67.206.242
www.fasilitatortoefl.com	A 103.52.144.138 CNAME fasilitatortoefl.com	103.52.144.138
www.phytolipshine.com	A 165.160.15.20 A 165.160.13.20	165.160.15.20
www.freedomforfarmedrabbits.online	A 203.170.80.250	203.170.80.250
www.orangstyle.com	A 34.107.102.192	34.107.102.192

IP Address	Status	Action
103.253.212.244	Active	Moloch
103.52.144.138	Active	Moloch
104.21.35.179	Active	Moloch
153.92.220.18	Active	Moloch
164.124.101.2	Active	Moloch
165.160.13.20	Active	Moloch
172.67.206.242	Active	Moloch
198.50.252.64	Active	Moloch
203.170.80.250	Active	Moloch
34.102.136.180	Active	Moloch
34.107.102.192	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.206.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.206.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.206.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 153.92.220.18:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 153.92.220.18:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 153.92.220.18:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 103.253.212.244:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 103.253.212.244:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 103.253.212.244:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.50.252.64:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.50.252.64:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 198.50.252.64:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.21.35.179:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.21.35.179:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 104.21.35.179:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 165.160.13.20:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 165.160.13.20:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 165.160.13.20:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 103.52.144.138:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 103.52.144.138:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 103.52.144.138:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 203.170.80.250:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 203.170.80.250:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 203.170.80.250:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.107.102.192:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.107.102.192:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 34.107.102.192:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2021, 11:24 a.m.			0	0
IsDebuggerPresent Sept. 19, 2021, 11:24 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2021, 11:24 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.freedomforfarmedrabbits.online/uytf/?pPX=aanr9KUA+Lme2HnVO/iXZ9M+VynYtt8YNC4RSrEQUm5wbsxRoKLFvnw/FduDX7MSivFtGy/+&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.phytolipshine.com/uytf/?pPX=Fx3MBA+wnyP4UwdJpcXcQefFTv+0WpMEuREL8NukrNNObpanHjIC8qUY8SnAq0baZOrOIpSd&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.richesosity.online/uytf/?pPX=8q6matzAslour1Wg7EDZOBiUYMK1ZLS1rYSRgs2yyJbPXAYaEJuUoecG03EIMLpxIkgbL9q4&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.estherestates.online/uytf/?pPX=oIuaCgs8fWe7UPMH63YJqAOmlhmah6T8z6DMbwlnTLzzYRJkfgqamdDtc0OyBRbzZ8ieFU+p&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.orangstyle.com/uytf/?pPX=ZeXqQEHVzWgCZpPTNhYOjWQ9Qqomd/Wcs+ePRWCYWi9KRItxKQ3GmqF2KQQ9LX2oE/v4ro1T&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.atjehtimur.com/uytf/?pPX=xyanq6/aXBjQ+drETuPL3uW7YN/fSzGGYXigMrEAsu0BgOhtvREM0lJTblDkspg/rslptfje&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.chowding.com/uytf/?pPX=KjPIUqWGSwcpMb1JQuy7+0U5rXawkPVPr7fK8WZb5vSYhxBFfvmkEsL/MgpgoLsWmZ9LBflA&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fasilitatortoefl.com/uytf/?pPX=foh9uT4TNOHfQtkSH9m7Z/6r7DOaIcQkTX62D8Vmt2IbcE3X7kyPrJ3BOSY+SpvNWJAlQMmw&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wireconnectaz.tech/uytf/?pPX=ykk3RL+VOMXWil8HNCFXQ+wNFXvfY05AhbWwIaICGpFeRZ8bpfrHSSt//sxM/LDuP+XWHN5A&1b=jnKtRfUxV
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.casino-virtuali.net/uytf/?pPX=g7mpRtpTrt86/9NUu7qnQWaSOi1js2yCbBPgDeqMY9oCbbLU6QU9HZXO/9hDXANZpsRSIO+P&1b=jnKtRfUxV

Performs some HTTP requests (10 events)

request	GET http://www.freedomforfarmedrabbits.online/uytf/?pPX=aanr9KUA+Lme2HnVO/iXZ9M+VynYtt8YNC4RSrEQUm5wbsxRoKLFvnw/FduDX7MSivFtGy/+&1b=jnKtRfUxV
request	GET http://www.phytolipshine.com/uytf/?pPX=Fx3MBA+wnyP4UwdJpcXcQefFTv+0WpMEuREL8NukrNNObpanHjIC8qUY8SnAq0baZOrOIpSd&1b=jnKtRfUxV
request	GET http://www.richesosity.online/uytf/?pPX=8q6matzAslour1Wg7EDZOBiUYMK1ZLS1rYSRgs2yyJbPXAYaEJuUoecG03EIMLpxIkgbL9q4&1b=jnKtRfUxV
request	GET http://www.estherestates.online/uytf/?pPX=oIuaCgs8fWe7UPMH63YJqAOmlhmah6T8z6DMbwlnTLzzYRJkfgqamdDtc0OyBRbzZ8ieFU+p&1b=jnKtRfUxV
request	GET http://www.orangstyle.com/uytf/?pPX=ZeXqQEHVzWgCZpPTNhYOjWQ9Qqomd/Wcs+ePRWCYWi9KRItxKQ3GmqF2KQQ9LX2oE/v4ro1T&1b=jnKtRfUxV
request	GET http://www.atjehtimur.com/uytf/?pPX=xyanq6/aXBjQ+drETuPL3uW7YN/fSzGGYXigMrEAsu0BgOhtvREM0lJTblDkspg/rslptfje&1b=jnKtRfUxV
request	GET http://www.chowding.com/uytf/?pPX=KjPIUqWGSwcpMb1JQuy7+0U5rXawkPVPr7fK8WZb5vSYhxBFfvmkEsL/MgpgoLsWmZ9LBflA&1b=jnKtRfUxV
request	GET http://www.fasilitatortoefl.com/uytf/?pPX=foh9uT4TNOHfQtkSH9m7Z/6r7DOaIcQkTX62D8Vmt2IbcE3X7kyPrJ3BOSY+SpvNWJAlQMmw&1b=jnKtRfUxV
request	GET http://www.wireconnectaz.tech/uytf/?pPX=ykk3RL+VOMXWil8HNCFXQ+wNFXvfY05AhbWwIaICGpFeRZ8bpfrHSSt//sxM/LDuP+XWHN5A&1b=jnKtRfUxV
request	GET http://www.casino-virtuali.net/uytf/?pPX=g7mpRtpTrt86/9NUu7qnQWaSOi1js2yCbBPgDeqMY9oCbbLU6QU9HZXO/9hDXANZpsRSIO+P&1b=jnKtRfUxV

Allocates read-write-execute memory (usually to unpack itself) (42 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00290000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02160000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 19, 2021, 11:34 a.m.	process_identifier: 2264 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00072400', u'virtual_address': u'0x00002000', u'entropy': 7.6053449451802715, u'name': u'.text', u'virtual_size': u'0x00072264'}

entropy

7.60534494518

description

A section with a high entropy has been found

entropy

0.726550079491

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 19, 2021, 11:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2264 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL]±&Aà ~ Õ@@.text<\|~ ` base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000288	1	1	0
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2264 process_handle: 0x00000288	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL]±&Aà ~ Õ@@.text<\|~ ` base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000288	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 called NtSetContextThread to modify thread in remote process 2264
NtSetContextThread Sept. 19, 2021, 11:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000284 process_identifier: 2264	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2088 resumed a thread in remote process 2264
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2264	1	0	0

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2088	1	0
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2088	1	0
CreateProcessInternalW Sept. 19, 2021, 11:24 a.m.	thread_identifier: 2408 thread_handle: 0x00000284 process_identifier: 2264 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\list.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\list.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000288	1	1
NtGetContextThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x00000284	1	0
NtAllocateVirtualMemory Sept. 19, 2021, 11:24 a.m.	process_identifier: 2264 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000288	1	0
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL]±&Aà ~ Õ@@.text<\|~ ` base_address: 0x00400000 process_identifier: 2264 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: base_address: 0x00401000 process_identifier: 2264 process_handle: 0x00000288	1	1
WriteProcessMemory Sept. 19, 2021, 11:24 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2264 process_handle: 0x00000288	1	1
NtSetContextThread Sept. 19, 2021, 11:24 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314400 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000284 process_identifier: 2264	1	0
NtResumeThread Sept. 19, 2021, 11:24 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2264	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46987419
FireEye	Generic.mg.ff1b657f20e7afc8
McAfee	AgentTesla-FDCV!FF1B657F20E7
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0058274f1 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 0058274f1 )
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	Trojan.Generic.D2CCF89B
Cyren	W32/MSIL_Kryptik.FNY.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ACUS
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.46987419
Avast	Win32:CrypterX-gen [Trj]
Ad-Aware	Trojan.GenericKD.46987419
Sophos	Mal/Generic-S + Troj/Krypt-CV
DrWeb	Trojan.PWS.Maria.3
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Emsisoft	Trojan.GenericKD.46987419 (B)
Ikarus	Trojan.MSIL.Crypt
Avira	TR/Kryptik.albhf
MAX	malware (ai score=99)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	Trojan:MSIL/AgentTesla.CUC!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealer.gen
GData	Trojan.GenericKD.46987419
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.AgentTesla.C4635630
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	TROJ_GEN.R002C0DIH21
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.FKSX!tr
AVG	Win32:CrypterX-gen [Trj]
Cybereason	malicious.f97566
Panda	Trj/GdSda.A

list.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All