Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 15, 2021, 9:10 a.m.	Oct. 15, 2021, 9:14 a.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`72ae1ef77048260282b4e791eede5e3c`
SHA256	`431ec8528e6344c0abf90147e86180ba16c3bbeb6ef70786c66c0d4044ef82a2`
CRC32	`0B70E4F6`
ssdeep	`49152:HH9XrEkAP+3PcarS1Qo2biNplvpQtK6Kti:HH97EBW3PcaOjNJQtK6Kti`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

VLTKTanthuTN.exe "C:\Users\test22\AppData\Local\Temp\VLTKTanthuTN.exe"
1196

Name	Response	Post-Analysis Lookup
kimyen.net	A 103.255.237.239	103.255.237.239
free.timeanddate.com	A 146.75.49.176 CNAME k.shared.global.fastly.net	151.101.193.176
ptbtime1.ptb.de	A 192.53.103.108	192.53.103.108
utcnist.colorado.edu	CNAME india.colorado.edu A 128.138.140.44	128.138.140.44
kimyen.info	A 103.28.36.10	103.28.36.10
time.ien.it	CNAME ntp.ien.it A 193.204.114.105	193.204.114.105
time.nist.gov	CNAME ntp1.glb.nist.gov A 128.138.141.172	132.163.96.2

IP Address	Status	Action
103.255.237.239	Active	Moloch
103.28.36.10	Active	Moloch
128.138.140.44	Active	Moloch
128.138.141.172	Active	Moloch
146.75.49.176	Active	Moloch
164.124.101.2	Active	Moloch
192.53.103.108	Active	Moloch
193.204.114.105	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 15, 2021, 9:10 a.m.			0	0
IsDebuggerPresent Oct. 15, 2021, 9:10 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 15, 2021, 9:10 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	\x02l\x1a \x002)
section

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: 0x79f507 0x79d5b0 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x731c9df8 CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x731c9e2f CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x731c9efd CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x731c9fa2 DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x732f0f4d DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x731bbcd5 DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x731a2ae9 0x79aa86 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x79f8da registers.esp: 3007492 registers.edi: 3007664 registers.eax: 0 registers.ebp: 3007504 registers.edx: 4 registers.ebx: 3009240 registers.esi: 37330524 registers.ecx: 0	1
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: 0x79f507 0xae79095 0x449042d 0x79aa86 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x79f8da registers.esp: 3010356 registers.edi: 3010528 registers.eax: 0 registers.ebp: 3010368 registers.edx: 4 registers.ebx: 3011100 registers.esi: 37765008 registers.ecx: 0	1
__exception__ Oct. 15, 2021, 9:10 a.m.	stacktrace: 0x79f507 0xae79317 0x449042d 0x79aa86 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x79f8da registers.esp: 3010356 registers.edi: 3010528 registers.eax: 0 registers.ebp: 3010368 registers.edx: 4 registers.ebx: 3011100 registers.esi: 37765008 registers.ecx: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 15, 2021, 9:10 a.m.

stacktrace:

0x79f507
0x79d5b0
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x731c9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x731c9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x731c9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x731c9fa2
DllGetClassObjectInternal+0x8bed4 CorDllMainForThunk-0x627 clr+0x150f4d @ 0x732f0f4d
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x731bbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x731a2ae9
0x79aa86
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x79f8da
registers.esp: 3007492
registers.edi: 3007664
registers.eax: 0
registers.ebp: 3007504
registers.edx: 4
registers.ebx: 3009240
registers.esi: 37330524
registers.ecx: 0

__exception__

Oct. 15, 2021, 9:10 a.m.

stacktrace:

0x79f507
0xae79095
0x449042d
0x79aa86
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x79f8da
registers.esp: 3010356
registers.edi: 3010528
registers.eax: 0
registers.ebp: 3010368
registers.edx: 4
registers.ebx: 3011100
registers.esi: 37765008
registers.ecx: 0

__exception__

Oct. 15, 2021, 9:10 a.m.

stacktrace:

0x79f507
0xae79317
0x449042d
0x79aa86
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x731a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x731b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x731b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x732674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73267610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x732f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x732f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x732f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x732f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x740df5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 39 09 e8 7b 22 cb 71 89 45 f4 8b 45 f4 8b e5 5d
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x79f8da
registers.esp: 3010356
registers.edi: 3010528
registers.eax: 0
registers.ebp: 3010368
registers.edx: 4
registers.ebx: 3011100
registers.esi: 37765008
registers.ecx: 0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kimyen.net/vltk/tanthu/VLTKTanthuPb.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://kimyen.info/vltk/tanthu/VLTKTanthuPb.txt

Performs some HTTP requests (3 events)

request	GET http://free.timeanddate.com/clock/i3jl68nm/n246/tlir/tt0/tw0/tm3/th1
request	GET http://kimyen.net/vltk/tanthu/VLTKTanthuPb.txt
request	GET http://kimyen.info/vltk/tanthu/VLTKTanthuPb.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 116 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1339392 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfa000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bfc000 process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

VLTKTanthuTN.exe tried to sleep 650 seconds, actually delayed analysis time by 650 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 15, 2021, 9:10 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00146600', u'virtual_address': u'0x00002000', u'entropy': 7.99987279532022, u'name': u'\\x02l\\x1a\r\\x002)\r', u'virtual_size': u'0x001464d4'}

entropy

7.99987279532

description

A section with a high entropy has been found

entropy

0.764792032806

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 15, 2021, 9:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ae90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1196 manipulating memory of non-child process 1196
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ae90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0	0

Potential code injection by writing to the memory of another process (7 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1196 injected into non-child 1196
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90000 process_identifier: 1196 process_handle: 0x00000380	1	1	0
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90002 process_identifier: 1196 process_handle: 0x00000380	1	1	0
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: ¾À»y base_address: 0x0ae90004 process_identifier: 1196 process_handle: 0x00000380	1	1	0
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90009 process_identifier: 1196 process_handle: 0x00000380	1	1	0
WriteProcessMemory Oct. 15, 2021, 9:11 a.m.	buffer: ¾À»y base_address: 0x0ae90004 process_identifier: 1196 process_handle: 0x00000380	1	1	0
WriteProcessMemory Oct. 15, 2021, 9:11 a.m.	buffer: base_address: 0x0ae90009 process_identifier: 1196 process_handle: 0x00000380	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Oct. 15, 2021, 9:10 a.m.	thread_identifier: 0 callback_function: 0x008f5a0a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00ab0000	1	983903	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.72ae1ef770482602
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
APEX	Malicious
Sophos	Generic ML PUA (PUA)
Gridinsoft	Trojan.Heur!.03033281
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
VBA32	CIL.HeapOverride.Heur
Malwarebytes	Malware.AI.48986880
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZemsilF.34218.Qv0@aasMxYn
MaxSecure	Trojan.Malware.300983.susgen

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.53.103.108:13

Executed a process and injected code into it, probably while unpacking (29 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 1196	1	0
NtGetContextThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 1196	1	0
NtAllocateVirtualMemory Oct. 15, 2021, 9:10 a.m.	process_identifier: 1196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0ae90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000003bc suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000003d8 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000004bc suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x000005c8 suspend_count: 1 process_identifier: 1196	1	0
NtResumeThread Oct. 15, 2021, 9:10 a.m.	thread_handle: 0x0000050c suspend_count: 1 process_identifier: 1196	1	0
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90000 process_identifier: 1196 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90002 process_identifier: 1196 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: ¾À»y base_address: 0x0ae90004 process_identifier: 1196 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 15, 2021, 9:10 a.m.	buffer: base_address: 0x0ae90009 process_identifier: 1196 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 15, 2021, 9:11 a.m.	buffer: ¾À»y base_address: 0x0ae90004 process_identifier: 1196 process_handle: 0x00000380	1	1
WriteProcessMemory Oct. 15, 2021, 9:11 a.m.	buffer: base_address: 0x0ae90009 process_identifier: 1196 process_handle: 0x00000380	1	1

VLTKTanthuTN.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All