Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 29, 2021, 9:25 a.m.	Oct. 29, 2021, 9:31 a.m.

Size	431.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`671eb2b7682de507f36f6d57ca812b1c`
SHA256	`13e749d864073bf051c16bdb368742e360916cc771885a735464fe561c34e617`
CRC32	`F13736E8`
ssdeep	`6144:ma1I+EH6Hskle7dL1ZYMCh3H7gM3grd9tfzSHIHGe:1d39exaVcMQh9t8IH`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

out.exe "C:\Users\test22\AppData\Local\Temp\out.exe"
2548
- out.exe "C:\Users\test22\AppData\Local\Temp\out.exe"
  2208

Name	Response	Post-Analysis Lookup
www.lbsp3.xyz
www.karasevda-jor.com	A 151.101.130.199 A 151.101.2.199 A 151.101.66.199 A 151.101.194.199	151.101.130.199
www.lsurpriseremix.com	A 3.64.163.50	3.64.163.50
www.recifetopschoolteacher.com
www.twdesignacreation.com
www.faceandco.clinic	CNAME faceandco.clinic A 34.102.136.180	34.102.136.180
www.godigitalwithpavitra.com	CNAME godigitalwithpavitra.com A 34.102.136.180	34.102.136.180
www.istesdesv.xyz
www.mistikistapp.xyz
www.equityreleaseshelpukweb.com	A 185.53.179.93	185.53.179.93
www.radiesn.store
www.pharmasolutionspr.net	CNAME pharmasolutionspr.net A 34.102.136.180	34.102.136.180
www.darbodrum.com	A 52.58.78.16 CNAME darbodrum.com	52.58.78.16
www.isearchpartner.agency	CNAME isearchpartner.agency A 34.102.136.180	34.102.136.180
www.dellmoor.com	CNAME dellmoor.com A 34.102.136.180	34.102.136.180

IP Address	Status	Action
151.101.130.199	Active	Moloch
164.124.101.2	Active	Moloch
185.53.179.93	Active	Moloch
3.64.163.50	Active	Moloch
34.102.136.180	Active	Moloch
52.58.78.16	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 185.53.179.93:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 185.53.179.93:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 185.53.179.93:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 151.101.130.199:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 151.101.130.199:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 151.101.130.199:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 3.64.163.50:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 3.64.163.50:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 3.64.163.50:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 29, 2021, 9:25 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 239 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:25 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:26 a.m.			0	0
IsDebuggerPresent Oct. 29, 2021, 9:26 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2021, 9:25 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.lsurpriseremix.com/n8cr/?BRjh4D=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.darbodrum.com/n8cr/?BRjh4D=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.faceandco.clinic/n8cr/?BRjh4D=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.equityreleaseshelpukweb.com/n8cr/?BRjh4D=4bZxzaC+6Rb3KtW25UC3MyfmF9MiGl1RBuRXSALb6XsaDdV8S10uPqd/+3Q9Cm1C2PxTwzjc&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.karasevda-jor.com/n8cr/?BRjh4D=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.pharmasolutionspr.net/n8cr/?BRjh4D=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.dellmoor.com/n8cr/?BRjh4D=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.godigitalwithpavitra.com/n8cr/?BRjh4D=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&J46Tz=ARm8z0bxQhIX40p0
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.isearchpartner.agency/n8cr/?BRjh4D=dcLZxWQ2Dmoyk8mqq6WD24qjgh46lJJJRLC+7rDi3CpeHO6n9MooORgZ9Lo+BmkGFEyIoRDx&J46Tz=ARm8z0bxQhIX40p0

Performs some HTTP requests (18 events)

request	POST http://www.lsurpriseremix.com/n8cr/
request	GET http://www.lsurpriseremix.com/n8cr/?BRjh4D=XzOg4GGspAuq6nf8uDT5TwmLIGm0ISQBGrPKd4tivxqgqHyPi/4MDIH5AgR9gjZsPv1AGLX4&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.darbodrum.com/n8cr/
request	GET http://www.darbodrum.com/n8cr/?BRjh4D=T+43WvBYMdJLICdHER7Vh+npS79zyp/w75kxuBQaM8fxzFFFouNajkHoX08VqhRgIXT2st/E&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.faceandco.clinic/n8cr/
request	GET http://www.faceandco.clinic/n8cr/?BRjh4D=7eiQl+3cJ8EV3FktohZSj628IkCH0G7iAPXfALUtCIhKVfVEdi0SOHhTKxXCREJJkmT4WqWE&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.equityreleaseshelpukweb.com/n8cr/
request	GET http://www.equityreleaseshelpukweb.com/n8cr/?BRjh4D=4bZxzaC+6Rb3KtW25UC3MyfmF9MiGl1RBuRXSALb6XsaDdV8S10uPqd/+3Q9Cm1C2PxTwzjc&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.karasevda-jor.com/n8cr/
request	GET http://www.karasevda-jor.com/n8cr/?BRjh4D=MV1cGpiVERxA78VXTvcNrqGBP2hCBM0knujjlYmEPbwtbQyeZmTbDe9abbuH3PeuXqIn7oDT&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.pharmasolutionspr.net/n8cr/
request	GET http://www.pharmasolutionspr.net/n8cr/?BRjh4D=9mF32nB4h40OHIxmPLkmpgSq7fKCv9zCP33FwVrabD3b2BPmEGeBbsK70Z8nk6vJRZETbnWE&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.dellmoor.com/n8cr/
request	GET http://www.dellmoor.com/n8cr/?BRjh4D=gLYniZTjpUciXSr40w1ZcVSpRl6QZNuH0jlBDOVrQhs3iZPl3fuig2I+APRykwKIdII5nmkF&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.godigitalwithpavitra.com/n8cr/
request	GET http://www.godigitalwithpavitra.com/n8cr/?BRjh4D=a9TTiAQoSZyTC7GXXz2Ohzovp/Ry6CXzaHOI8WyuEjRkeLOQXnugV1U05qQEj2Q0jUP0bscA&J46Tz=ARm8z0bxQhIX40p0
request	POST http://www.isearchpartner.agency/n8cr/
request	GET http://www.isearchpartner.agency/n8cr/?BRjh4D=dcLZxWQ2Dmoyk8mqq6WD24qjgh46lJJJRLC+7rDi3CpeHO6n9MooORgZ9Lo+BmkGFEyIoRDx&J46Tz=ARm8z0bxQhIX40p0

Sends data using the HTTP POST Method (9 events)

request	POST http://www.lsurpriseremix.com/n8cr/
request	POST http://www.darbodrum.com/n8cr/
request	POST http://www.faceandco.clinic/n8cr/
request	POST http://www.equityreleaseshelpukweb.com/n8cr/
request	POST http://www.karasevda-jor.com/n8cr/
request	POST http://www.pharmasolutionspr.net/n8cr/
request	POST http://www.dellmoor.com/n8cr/
request	POST http://www.godigitalwithpavitra.com/n8cr/
request	POST http://www.isearchpartner.agency/n8cr/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 64 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04271000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04277000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0427c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0427d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0427e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0427f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

out.exe tried to sleep 296 seconds, actually delayed analysis time by 296 seconds

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 29, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 29, 2021, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2208 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL ?à \|Ô@@.text¬{\| ` base_address: 0x00400000 process_identifier: 2208 process_handle: 0x000002b8	1	1	0
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2208 process_handle: 0x000002b8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL ?à \|Ô@@.text¬{\| ` base_address: 0x00400000 process_identifier: 2208 process_handle: 0x000002b8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 called NtSetContextThread to modify thread in remote process 2208
NtSetContextThread Oct. 29, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314256 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2208	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2208
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2208	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.56.101:49208

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x0000022c suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW Oct. 29, 2021, 9:25 a.m.	thread_identifier: 2384 thread_handle: 0x000002b4 process_identifier: 2208 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\out.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\out.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\out.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtGetContextThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4	1	0
NtAllocateVirtualMemory Oct. 29, 2021, 9:25 a.m.	process_identifier: 2208 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b8	1	0
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPEL ?à \|Ô@@.text¬{\| ` base_address: 0x00400000 process_identifier: 2208 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: base_address: 0x00401000 process_identifier: 2208 process_handle: 0x000002b8	1	1
WriteProcessMemory Oct. 29, 2021, 9:25 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2208 process_handle: 0x000002b8	1	1
NtSetContextThread Oct. 29, 2021, 9:25 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4314256 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002b4 process_identifier: 2208	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2548	1	0
NtResumeThread Oct. 29, 2021, 9:25 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2548	1	0

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen15.32506
MicroWorld-eScan	Trojan.GenericKD.37889028
FireEye	Generic.mg.671eb2b7682de507
ALYac	Trojan.GenericKD.37889028
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:Win32/Kryptik.ali2000016
Cybereason	malicious.97d6e1
Arcabit	Trojan.Generic.D2422404
BitDefenderTheta	Gen:NN.ZemsilF.34236.Am0@aKAFolpi
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Injector.VRN
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender	Trojan.GenericKD.37889028
Avast	Win32:InjectorX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37889028
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Agent.tcxuu@0
TrendMicro	TrojanSpy.MSIL.NOON.USMANJS21
McAfee-GW-Edition	BehavesLike.Win32.Generic.gh
Emsisoft	Trojan.GenericKD.37889028 (B)
Ikarus	Trojan.MSIL.Injector
Avira	TR/Injector.mjgci
MAX	malware (ai score=85)
Kingsoft	Win32.Heur.KVM007.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Trojan.GenericKD.37889028
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Agent.C4734961
McAfee	RDN/Generic.rp
TrendMicro-HouseCall	TrojanSpy.MSIL.NOON.USMANJS21
Rising	Malware.FakeXLS/ICON!1.6AC3 (CLASSIC)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	MSIL/VRN!tr
AVG	Win32:InjectorX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

out.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All