Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 16, 2021, 1:20 p.m.	Oct. 16, 2021, 1:35 p.m.

Size	337.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`2c2811633faebf78e7bdefb5e8867faf`
SHA256	`0c9257ae6c84763746b188ff4d2dc58d040b32f8ab54e9466137312c8e0cc92b`
CRC32	`CD6A28E3`
ssdeep	`6144:WfDetGGYMkhBA1pCyFam6afSPJ3tusE3yTgGqU8VozKCBfc5fTCm+xzqAq:WfCthzSBWCsamnfSB3tZEEx8VaKCBojv`
PDB Path	C:\Users\Administrator\Desktop\Client\Temp\ZtVKlFZNfY\src\obj\Debug\ISCIIEncodi.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

zoo.exe "C:\Users\test22\AppData\Local\Temp\zoo.exe"
1948
- zoo.exe "C:\Users\test22\AppData\Local\Temp\zoo.exe"
  2256

Name	Response	Post-Analysis Lookup
www.kinglot2499.com	CNAME kinglot2499.com A 34.102.136.180	34.102.136.180
www.discovercotswoldcottages.com	A 91.136.8.131	91.136.8.131
www.ambrandt.com	A 156.234.138.25	156.234.138.25
www.restaurant-utopia.xyz	A 172.67.213.229 A 104.21.35.47	172.67.213.229
www.instatechnovelz.com
www.fis.photos	A 192.0.78.25 A 192.0.78.24 CNAME fis.photos	192.0.78.25
www.narbaal.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.212
www.ahljsm.com	A 45.39.212.162	45.39.212.162
www.freekagyans.com	A 46.17.172.173 CNAME freekagyans.com	46.17.172.173
www.gaminghallarna.net	A 194.9.94.86 A 194.9.94.85	194.9.94.86
www.shacksolid.com	A 64.190.62.111	64.190.62.111
www.44mpt.xyz	A 23.225.32.156 A 23.224.235.100 A 23.225.30.43 CNAME www.9tv-cname.com A 104.233.177.157 CNAME 9tv-cname.com	23.225.32.156
www.geniuseven.net

IP Address	Status	Action
156.234.138.25	Active	Moloch
164.124.101.2	Active	Moloch
172.67.213.229	Active	Moloch
192.0.78.25	Active	Moloch
194.9.94.86	Active	Moloch
198.54.117.212	Active	Moloch
23.225.32.156	Active	Moloch
34.102.136.180	Active	Moloch
45.39.212.162	Active	Moloch
46.17.172.173	Active	Moloch
64.190.62.111	Active	Moloch
91.136.8.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 194.9.94.86:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 194.9.94.86:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 194.9.94.86:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 23.225.32.156:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 23.225.32.156:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 23.225.32.156:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 23.225.32.156:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 91.136.8.131:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 91.136.8.131:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.213.229:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 91.136.8.131:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.213.229:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.213.229:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 172.67.213.229:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 46.17.172.173:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 46.17.172.173:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 46.17.172.173:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 64.190.62.111:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 64.190.62.111:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 64.190.62.111:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 156.234.138.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 156.234.138.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49177 -> 156.234.138.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 192.0.78.25:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 192.0.78.25:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 192.0.78.25:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 45.39.212.162:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49175 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.212:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.212:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 198.54.117.212:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2021, 1:20 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 1:20 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\Client\Temp\ZtVKlFZNfY\src\obj\Debug\ISCIIEncodi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2021, 1:20 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.gaminghallarna.net/ef6c/?FTRPbxU=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.narbaal.com/ef6c/?FTRPbxU=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.44mpt.xyz/ef6c/?FTRPbxU=jKy9H8VqZwiUle4gjb+CLEX9fpBCwuv2o754Pr7fJKTzkjLdsKrrwvS2m3F+8CxbXLoYiDn1&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ahljsm.com/ef6c/?FTRPbxU=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.freekagyans.com/ef6c/?FTRPbxU=kpxr/bFC7l3rMl6oOTLL9yT8CLcAAaNLZTC+YQJe+DOZzjEQ9TLw2kEJrxZCMv5aVRwmFn5W&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shacksolid.com/ef6c/?FTRPbxU=JeohSOzV/eF3b++alSWyFy7AWxQU0a2IMxUYSulMFNSbZpwQl2hdImGcJZ3OYLlpDcL1Ncux&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.discovercotswoldcottages.com/ef6c/?FTRPbxU=BIDo9GBbq26+tRTULeHAa20kRn4DZ7/ZgIW2IC+7vRIIeELykZIx4inPOl/SIZLSvHjtcUe3&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fis.photos/ef6c/?FTRPbxU=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.kinglot2499.com/ef6c/?FTRPbxU=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.restaurant-utopia.xyz/ef6c/?FTRPbxU=QQd8BU9Fy5B/Jf1+m4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N5pbbojH/ir2XBTcopEK&DxoHR=VDKPcJchZl9tJT
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ambrandt.com/ef6c/?FTRPbxU=LpvmmmP8130l+/J4QjVaSApGnUfMJ5/j1z/KRz5qiZs92IprYNoIBOkfulD2ZI4sCy4j1IwA&DxoHR=VDKPcJchZl9tJT

Performs some HTTP requests (11 events)

request	GET http://www.gaminghallarna.net/ef6c/?FTRPbxU=klh7vGPfywtzHDqBe0mXtw9R4RUvLJCc3Nh/2lv7lW0muO/R44RuNcsYgcRk+/HbCIQeLGan&DxoHR=VDKPcJchZl9tJT
request	GET http://www.narbaal.com/ef6c/?FTRPbxU=Qfq1eVj1tbY6wk2fC6TNcABTYUkfKUx3lN3xLkopolv8k3yEzrfjTRmV/Ar6z0XOJR0dF2R8&DxoHR=VDKPcJchZl9tJT
request	GET http://www.44mpt.xyz/ef6c/?FTRPbxU=jKy9H8VqZwiUle4gjb+CLEX9fpBCwuv2o754Pr7fJKTzkjLdsKrrwvS2m3F+8CxbXLoYiDn1&DxoHR=VDKPcJchZl9tJT
request	GET http://www.ahljsm.com/ef6c/?FTRPbxU=IVc4rtgM9gra+fG0jQBU9em9uNea1MXNkTy/UnYOuL+WBS8ayE+K1GAK8aa2SvCjoWspa1ZS&DxoHR=VDKPcJchZl9tJT
request	GET http://www.freekagyans.com/ef6c/?FTRPbxU=kpxr/bFC7l3rMl6oOTLL9yT8CLcAAaNLZTC+YQJe+DOZzjEQ9TLw2kEJrxZCMv5aVRwmFn5W&DxoHR=VDKPcJchZl9tJT
request	GET http://www.shacksolid.com/ef6c/?FTRPbxU=JeohSOzV/eF3b++alSWyFy7AWxQU0a2IMxUYSulMFNSbZpwQl2hdImGcJZ3OYLlpDcL1Ncux&DxoHR=VDKPcJchZl9tJT
request	GET http://www.discovercotswoldcottages.com/ef6c/?FTRPbxU=BIDo9GBbq26+tRTULeHAa20kRn4DZ7/ZgIW2IC+7vRIIeELykZIx4inPOl/SIZLSvHjtcUe3&DxoHR=VDKPcJchZl9tJT
request	GET http://www.fis.photos/ef6c/?FTRPbxU=iVGcxgJZg7dDdqnpGvHyDNlE3XmNDIFvU6VDaZ8nDL6WJmv+1asF/xEbeuA1UUYS6lydoag+&DxoHR=VDKPcJchZl9tJT
request	GET http://www.kinglot2499.com/ef6c/?FTRPbxU=qvbt8KP2xJHnSv2agWrG6RDVV6/Qaw5OSzzUHxaBtBqMEVf61rcn+NRYzRRlOu08cWsbP+g5&DxoHR=VDKPcJchZl9tJT
request	GET http://www.restaurant-utopia.xyz/ef6c/?FTRPbxU=QQd8BU9Fy5B/Jf1+m4pKDxcRFm34j4nz3hSoRKYyqec7FRTFu3B5N5pbbojH/ir2XBTcopEK&DxoHR=VDKPcJchZl9tJT
request	GET http://www.ambrandt.com/ef6c/?FTRPbxU=LpvmmmP8130l+/J4QjVaSApGnUfMJ5/j1z/KRz5qiZs92IprYNoIBOkfulD2ZI4sCy4j1IwA&DxoHR=VDKPcJchZl9tJT

Allocates read-write-execute memory (usually to unpack itself) (27 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00821000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70692000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00829000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2021, 1:33 p.m.	process_identifier: 2256 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00053a00', u'virtual_address': u'0x00002000', u'entropy': 7.870548363253952, u'name': u'.text', u'virtual_size': u'0x00053920'}

entropy

7.87054836325

description

A section with a high entropy has been found

entropy

0.992581602374

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2021, 1:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 2256 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2256 process_handle: 0x0000024c	1	1	0
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2256 process_handle: 0x0000024c	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2256 process_handle: 0x0000024c	1	1	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Cylance	Unsafe
CrowdStrike	win/malicious_confidence_70% (W)
Cyren	W32/MSIL_Kryptik.FWD.gen!Eldorado
ESET-NOD32	a variant of MSIL/GenKryptik.FMBC
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition	Artemis
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Keylogger.AgentTesla
Microsoft	Trojan:MSIL/AgentTesla.LBC!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
McAfee	Artemis!2C2811633FAE
Malwarebytes	Trojan.MalPack.ADC
Fortinet	MSIL/GenKryptik.FLEY!tr
MaxSecure	Trojan.Malware.300983.susgen

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 called NtSetContextThread to modify thread in remote process 2256
NtSetContextThread Oct. 16, 2021, 1:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314064 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2256	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1948 resumed a thread in remote process 2256
NtResumeThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2256	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1948	1	0
NtResumeThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1948	1	0
CreateProcessInternalW Oct. 16, 2021, 1:20 p.m.	thread_identifier: 2312 thread_handle: 0x00000248 process_identifier: 2256 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\zoo.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\zoo.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 1:20 p.m.	process_identifier: 2256 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL,+9Rà \|ÐÓ@@.textìz\| ` base_address: 0x00400000 process_identifier: 2256 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: base_address: 0x00401000 process_identifier: 2256 process_handle: 0x0000024c	1	1
WriteProcessMemory Oct. 16, 2021, 1:20 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2256 process_handle: 0x0000024c	1	1
NtSetContextThread Oct. 16, 2021, 1:20 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314064 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2256	1	0
NtResumeThread Oct. 16, 2021, 1:20 p.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2256	1	0

zoo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All