Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 1:13 p.m.	May 20, 2022, 1:47 p.m.

Size	65.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`24ec18a30815496490d2054419b1980b`
SHA256	`25abc50481a70558b986a1bd5ebe4c5cf43a741f10465713c066ebf309b730c4`
CRC32	`8A90738B`
ssdeep	`1536:AQ4o6RXsNKduDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNe:drQduis1Jy///f/M4`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

noo.exe "C:\Users\test22\AppData\Local\Temp\noo.exe"
2768

Name	Response	Post-Analysis Lookup
example.com	A 93.184.216.34	93.184.216.34

IP Address	Status	Action
164.124.101.2	Active	Moloch
93.184.216.34	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 93.184.216.34:80	2030384	ET HUNTING Suspicious Terse Request for .bmp	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 20, 2022, 1:13 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 20, 2022, 1:13 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0
IsDebuggerPresent May 20, 2022, 1:13 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 1:13 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://example.com/Nzzgmmjy_Shkxumyu.bmp

Performs some HTTP requests (1 event)

request

GET http://example.com/Nzzgmmjy_Shkxumyu.bmp

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 1:13 p.m.	process_identifier: 2768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 20, 2022, 1:13 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000de00', u'virtual_address': u'0x00006000', u'entropy': 7.267175958693125, u'name': u'.rsrc', u'virtual_size': u'0x0000dc5e'}

entropy

7.26717595869

description

A section with a high entropy has been found

entropy

0.853846153846

description

Overall entropy of this PE file is high

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.49029941
FireEye	Generic.mg.24ec18a308154964
ALYac	Trojan.GenericKD.49029941
Cylance	Unsafe
Sangfor	Trojan.MSIL.Seraph.gen
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:MSIL/GenKryptik.d293e856
Arcabit	Trojan.Generic.D2EC2335
BitDefenderTheta	Gen:NN.ZemsilF.34682.em0@aeMh5uk
Cyren	W32/MSIL_Kryptik.GMZ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.FUQO
TrendMicro-HouseCall	TROJ_GEN.R002H0CEG22
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Trojan.GenericKD.49029941
Avast	Win32:DropperX-gen [Drp]
Ad-Aware	Trojan.GenericKD.49029941
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Kryptik.uvets
McAfee-GW-Edition	RDN/Generic Dropper
SentinelOne	Static AI - Suspicious PE
Emsisoft	Trojan.GenericKD.49029941 (B)
Ikarus	Trojan.MSIL.Inject
Avira	TR/Kryptik.uvets
Antiy-AVL	Trojan[Downloader]/MSIL.Seraph
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Trojan.GenericKD.49029941
Cynet	Malicious (score: 100)
McAfee	RDN/Generic Dropper
Malwarebytes	Trojan.Downloader
APEX	Malicious
MAX	malware (ai score=82)
Fortinet	MSIL/GenKryptik.FUQO!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.bf6122

noo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All