Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 20, 2022, 5:30 p.m.	May 20, 2022, 5:32 p.m.

Size	659.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a976de15c5149e328122fba6ca13a0b7`
SHA256	`2e2143c83b9fc796a895f54f602789ae3bf706bcc38c753339665678f930c226`
CRC32	`59461FC5`
ssdeep	`12288:am02LQzEPZmRQK4WR5ArNNoyQkR5oO5spQrCYgrGeTNXWoT9OS:ajArNWphSeRWIA`
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

PAGO111.exe "C:\Users\test22\AppData\Local\Temp\PAGO111.exe"
2312
- PAGO111.exe "C:\Users\test22\AppData\Local\Temp\PAGO111.exe"
  2660

Name	Response	Post-Analysis Lookup
www.continue-notice.com	A 18.118.148.24	18.118.148.24
www.mazakoba.com	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
www.dorriswalkertaylor.com
www.uniquepropertyfunding.com
www.sulstore.site	A 83.220.172.127	83.220.172.127
www.2tx2v4y2jdqfv.xyz
www.fa88play.vin	A 172.67.176.233 A 104.21.67.134	172.67.176.233
www.katoenlombok.com	A 156.67.215.156 CNAME katoenlombok.com	156.67.215.156
www.janitorialcleaningsolutions.com
www.936699.com	A 104.143.9.110 A 104.143.9.111	104.143.9.111
www.bittel.group
www.natureshopy.com	A 208.91.197.91	208.91.197.91

IP Address	Status	Action
104.143.9.111	Active	Moloch
104.21.67.134	Active	Moloch
156.67.215.156	Active	Moloch
164.124.101.2	Active	Moloch
18.118.148.24	Active	Moloch
208.91.197.91	Active	Moloch
34.117.168.233	Active	Moloch
83.220.172.127	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 83.220.172.127:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 83.220.172.127:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 83.220.172.127:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 156.67.215.156:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 156.67.215.156:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 156.67.215.156:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 18.118.148.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 18.118.148.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 18.118.148.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 104.21.67.134:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 104.21.67.134:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 104.21.67.134:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 208.91.197.91:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 208.91.197.91:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 208.91.197.91:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 34.117.168.233:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 34.117.168.233:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 34.117.168.233:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 104.143.9.111:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 104.143.9.111:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 104.143.9.111:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 5:30 p.m.			0	0
IsDebuggerPresent May 20, 2022, 5:30 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 5:30 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	X3qO+\x134\x1f
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sulstore.site/cshi/?x48hFDZp=JIZsEJjePCAMhM8ivwO8s3qLETFUliUhOQxal3M1f84+b2i9pVDcsxugm+X6cP8073PhO6mc&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.936699.com/cshi/?x48hFDZp=3DIaoCeg6YT8U97L8oAeQfYWUz18VtEIcPrxCYjzzMzfdM1oYDAPe69e2pg1YFa08AAoZY3N&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.mazakoba.com/cshi/?x48hFDZp=cDdEA/qLa2dhuLMAjy+Hol7M+Nf9rDepx1Cg79NFiLj5JoV3rfmQYm1mrBinP6hBC9O8/6wa&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.fa88play.vin/cshi/?x48hFDZp=lQaKgKWSyDpq88zOCo78hT6GeVAw9ljx0eapgKG38ITut3Szr6vGeAAQp2SpxjISA8RxI3xg&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.continue-notice.com/cshi/?x48hFDZp=5a6D6NXd/9qeL4hynmMFZU7GVq4qrv8D5mc6xRChA8gCyV2qJQZHlNxCRjQ2YBhVZUBYspIB&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.natureshopy.com/cshi/?x48hFDZp=sWUOFzCIq5SBasuk4aR/YkEJNryH9KaStLMe1mitJK0+zfmzzLke3nsrzWekoFtMB/Xqltld&CR=Cr-8QJE
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.katoenlombok.com/cshi/?x48hFDZp=d1RJKdX/n4WPF+gaj5wl2UCnzczpg8YczlMyZdEMCzExmtPC7J9MlwFS9xPaDp8oAIwdr/uX&CR=Cr-8QJE

Performs some HTTP requests (7 events)

request	GET http://www.sulstore.site/cshi/?x48hFDZp=JIZsEJjePCAMhM8ivwO8s3qLETFUliUhOQxal3M1f84+b2i9pVDcsxugm+X6cP8073PhO6mc&CR=Cr-8QJE
request	GET http://www.936699.com/cshi/?x48hFDZp=3DIaoCeg6YT8U97L8oAeQfYWUz18VtEIcPrxCYjzzMzfdM1oYDAPe69e2pg1YFa08AAoZY3N&CR=Cr-8QJE
request	GET http://www.mazakoba.com/cshi/?x48hFDZp=cDdEA/qLa2dhuLMAjy+Hol7M+Nf9rDepx1Cg79NFiLj5JoV3rfmQYm1mrBinP6hBC9O8/6wa&CR=Cr-8QJE
request	GET http://www.fa88play.vin/cshi/?x48hFDZp=lQaKgKWSyDpq88zOCo78hT6GeVAw9ljx0eapgKG38ITut3Szr6vGeAAQp2SpxjISA8RxI3xg&CR=Cr-8QJE
request	GET http://www.continue-notice.com/cshi/?x48hFDZp=5a6D6NXd/9qeL4hynmMFZU7GVq4qrv8D5mc6xRChA8gCyV2qJQZHlNxCRjQ2YBhVZUBYspIB&CR=Cr-8QJE
request	GET http://www.natureshopy.com/cshi/?x48hFDZp=sWUOFzCIq5SBasuk4aR/YkEJNryH9KaStLMe1mitJK0+zfmzzLke3nsrzWekoFtMB/Xqltld&CR=Cr-8QJE
request	GET http://www.katoenlombok.com/cshi/?x48hFDZp=d1RJKdX/n4WPF+gaj5wl2UCnzczpg8YczlMyZdEMCzExmtPC7J9MlwFS9xPaDp8oAIwdr/uX&CR=Cr-8QJE

Allocates read-write-execute memory (usually to unpack itself) (40 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0035a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 57344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0036f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2660 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000de00', u'virtual_address': u'0x00002000', u'entropy': 7.996695918349121, u'name': u'X3qO+\\x134\\x1f', u'virtual_size': u'0x0000dca8'}

entropy

7.99669591835

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00096200', u'virtual_address': u'0x00010000', u'entropy': 7.946121794644042, u'name': u'.text', u'virtual_size': u'0x00096100'}

entropy

7.94612179464

description

A section with a high entropy has been found

entropy

0.996203492787

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 5:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 20, 2022, 5:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Used Formbook[m]	rule	Win_Trojan_Formbook_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2660 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000070f0	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $v¨&YÆuYÆuYÆuBmuÆuBXuZÆuB[uXÆuRichYÆuPEL¿È Tà Pó°@°@.text ` base_address: 0x00400000 process_identifier: 2660 process_handle: 0x000070f0	1	1	0
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2660 process_handle: 0x000070f0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $v¨&YÆuYÆuYÆuBmuÆuBXuZÆuB[uXÆuRichYÆuPEL¿È Tà Pó°@°@.text ` base_address: 0x00400000 process_identifier: 2660 process_handle: 0x000070f0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2312 called NtSetContextThread to modify thread in remote process 2660
NtSetContextThread May 20, 2022, 5:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4322128 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2660	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2312 resumed a thread in remote process 2660
NtResumeThread May 20, 2022, 5:30 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2660	1	0	0

Generates some ICMP traffic

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetectNet.01
tehtris	Generic.Malware
FireEye	Generic.mg.a976de15c5149e32
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.1eef36
Cyren	W32/MSIL_Agent.DGE.gen!Eldorado
Symantec	Scr.Malcode!gdn30
Elastic	malicious (high confidence)
APEX	Malicious
Paloalto	generic.ml
Avast	Win32:PWSX-gen [Trj]
F-Secure	Heuristic.HEUR/AGEN.1247869
McAfee-GW-Edition	BehavesLike.Win32.Packed.jc
Sophos	ML/PE-A
Ikarus	Trojan-Spy.Keylogger.AgentTesla
Avira	HEUR/AGEN.1247869
Gridinsoft	Trojan.Heur!.03013281
BitDefenderTheta	Gen:NN.ZemsilF.34682.Pu0@amciF6o
VBA32	CIL.StupidPInvoker-1.Heur
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread May 20, 2022, 5:30 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread May 20, 2022, 5:30 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2312	1	0
NtResumeThread May 20, 2022, 5:30 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2312	1	0
CreateProcessInternalW May 20, 2022, 5:30 p.m.	thread_identifier: 2664 thread_handle: 0x00000208 process_identifier: 2660 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\PAGO111.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\PAGO111.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000070f0	1	1
NtGetContextThread May 20, 2022, 5:30 p.m.	thread_handle: 0x00000208	1	0
NtAllocateVirtualMemory May 20, 2022, 5:30 p.m.	process_identifier: 2660 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000070f0	1	0
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $v¨&YÆuYÆuYÆuBmuÆuBXuZÆuB[uXÆuRichYÆuPEL¿È Tà Pó°@°@.text ` base_address: 0x00400000 process_identifier: 2660 process_handle: 0x000070f0	1	1
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: base_address: 0x00401000 process_identifier: 2660 process_handle: 0x000070f0	1	1
WriteProcessMemory May 20, 2022, 5:30 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2660 process_handle: 0x000070f0	1	1
NtSetContextThread May 20, 2022, 5:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4322128 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2660	1	0
NtResumeThread May 20, 2022, 5:30 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2660	1	0

PAGO111.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All