popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

HFMN,N,JGHJH.exe

AntiVM PE32 AntiDebug PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 28, 2022, 4:58 p.m. Oct. 28, 2022, 5:10 p.m.
Size 309.3KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 d52446f23b3f32482c2f9463e73a2e9c
SHA256 610749802e2c335b72c844844035cfd854c49b7ea5b5e8a85ef8cfc3f629377d
CRC32 1875D11A
ssdeep 6144:R9rYyi79ovwAHeGnc4arpBcrNGALDxq9IMO+a7WrT2hEGpoJ8Ln:RdIOvw8HezcBGAROIdZquTpN
PDB Path C:\Users\Administrator\Documents\CryptoObfuscator_Output\HFMN,N,JGHJH.pdb
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49181 -> 208.91.197.27:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 208.91.197.27:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 208.91.197.27:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2032986 ET INFO HTTP Request to a *.asia domain Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2032986 ET INFO HTTP Request to a *.asia domain Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2032986 ET INFO HTTP Request to a *.asia domain Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.28.36.200:80 2032986 ET INFO HTTP Request to a *.asia domain Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 104.247.161.194:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.180.199.136:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 104.247.161.194:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.180.199.136:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 104.247.161.194:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 185.180.199.136:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 152.89.236.110:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 152.89.236.110:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 152.89.236.110:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 63.250.44.241:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 63.250.44.241:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 63.250.44.241:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 72.167.68.137:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 72.167.68.137:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 72.167.68.137:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.36.200:80 2032986 ET INFO HTTP Request to a *.asia domain Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 35.214.196.81:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 35.214.196.81:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 35.214.196.81:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 35.190.62.175:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 35.190.62.175:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 35.190.62.175:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0079b0f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0079b0f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\Users\Administrator\Documents\CryptoObfuscator_Output\HFMN,N,JGHJH.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72951194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72822ba1
mscorlib+0x32d277 @ 0x71b0d277
mscorlib+0x32d233 @ 0x71b0d233
mscorlib+0x32d12a @ 0x71b0d12a
0x4f01ae
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7415f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741d7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741d4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 4321240
registers.edi: 0
registers.eax: 4321240
registers.ebp: 4321320
registers.edx: 0
registers.ebx: 8256016
registers.esi: 8029976
registers.ecx: 917675927
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.loovalue.best/ehib/?wP9=RycohF4F6oG+gMUGC54V6/u8ENwlqc6M56KiVL3mQwFho8ThhIYV5JUKmFTGFVRoprvq3QsRl+Y7WaLHzElPoT9m8NcpZfu2nXpbJYs=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.voltagemarkets.com/ehib/?wP9=XJpTmlLi75mbesb6UMM709BMF4uB3tA26VeV0lE7KXzGe592FYcu9Z4nzQqkQBXdql5WG1sgCQuimp5bg3aF5HfZK6rARIqxckrn9zE=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.markasch.info/ehib/?wP9=g1Fhxv0LjrAYf/5tD7RYP/NJ9dzU/hsnkyTjxx+OO1oDl/521sMsdmGCgXkYvgDBgT7bhJQ6LjbYMY49wNTJuQF0p6lMJMaLjfDDUBw=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.e-lists.live/ehib/?wP9=zCnh2pwYjwTnHjHRvt/xYecBL0syfpl9qYRvxvvPfQ5o4nyhC1RahtSA0piBVGNLE4YTFq/w2UbXST9jywIgvtJSOuj4IhQbA+6LlVg=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.ortaklarpetshop.com/ehib/?wP9=Hh5HXXKwt0YubAZdSLpclkjlMLkqkG6dO9N2tjGaevHhyH5nXu/MYgPz83LKE0UAC/CHmEdAz94SpQnrCUmYZ+fPOnZs5c0lH9qebN4=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.kongjian666.vip/ehib/?wP9=EGBXbKIab5YOU/V9/BufR3qH771T8wM/sUCcyaxVFwsi26+Hq4LI8Ocu47lfwy04MSIb2vW+Rf3GwyUKqu4diU99hVzqma+UC+obGvA=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.rufrufsports.com/ehib/?wP9=zdFT4tuQ5YyrzftWQUVlaQe/fgkbQ+VJNQUs/x3rQTxasad4oZ0LmUlI08FAZ/n4+LvWqS7kZ4lsU/EJqvo4vcJIzSdnQAYzadnado4=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.akssbci.org/ehib/?wP9=THbiExPBObb3BT0tV1vyVOsW1kcYooexWq0IanMH3HjZ6WK0/dCyj/wkkpPahFBbtvE8TtEVfSa/kQmulJOZfrTVnUMiafggIo7B9Aw=&lZQ=7nbHudZPJ
suspicious_features GET method with no useragent header suspicious_request GET http://www.tuvi.asia/ehib/?wP9=vDy28c4A8yAPWILIwETUBA8z4sSN+xPOf98zzSHrFftS0HVhLhVW05NgRwAUMsFJmtYUq5pwW+jkvdeGPEtln/T+SXrsR6l7/O/LehQ=&lZQ=7nbHudZPJ
request GET http://www.loovalue.best/ehib/?wP9=RycohF4F6oG+gMUGC54V6/u8ENwlqc6M56KiVL3mQwFho8ThhIYV5JUKmFTGFVRoprvq3QsRl+Y7WaLHzElPoT9m8NcpZfu2nXpbJYs=&lZQ=7nbHudZPJ
request GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3110000.zip
request POST http://www.voltagemarkets.com/ehib/
request GET http://www.voltagemarkets.com/ehib/?wP9=XJpTmlLi75mbesb6UMM709BMF4uB3tA26VeV0lE7KXzGe592FYcu9Z4nzQqkQBXdql5WG1sgCQuimp5bg3aF5HfZK6rARIqxckrn9zE=&lZQ=7nbHudZPJ
request POST http://www.markasch.info/ehib/
request GET http://www.markasch.info/ehib/?wP9=g1Fhxv0LjrAYf/5tD7RYP/NJ9dzU/hsnkyTjxx+OO1oDl/521sMsdmGCgXkYvgDBgT7bhJQ6LjbYMY49wNTJuQF0p6lMJMaLjfDDUBw=&lZQ=7nbHudZPJ
request POST http://www.e-lists.live/ehib/
request GET http://www.e-lists.live/ehib/?wP9=zCnh2pwYjwTnHjHRvt/xYecBL0syfpl9qYRvxvvPfQ5o4nyhC1RahtSA0piBVGNLE4YTFq/w2UbXST9jywIgvtJSOuj4IhQbA+6LlVg=&lZQ=7nbHudZPJ
request POST http://www.ortaklarpetshop.com/ehib/
request GET http://www.ortaklarpetshop.com/ehib/?wP9=Hh5HXXKwt0YubAZdSLpclkjlMLkqkG6dO9N2tjGaevHhyH5nXu/MYgPz83LKE0UAC/CHmEdAz94SpQnrCUmYZ+fPOnZs5c0lH9qebN4=&lZQ=7nbHudZPJ
request POST http://www.kongjian666.vip/ehib/
request GET http://www.kongjian666.vip/ehib/?wP9=EGBXbKIab5YOU/V9/BufR3qH771T8wM/sUCcyaxVFwsi26+Hq4LI8Ocu47lfwy04MSIb2vW+Rf3GwyUKqu4diU99hVzqma+UC+obGvA=&lZQ=7nbHudZPJ
request POST http://www.rufrufsports.com/ehib/
request GET http://www.rufrufsports.com/ehib/?wP9=zdFT4tuQ5YyrzftWQUVlaQe/fgkbQ+VJNQUs/x3rQTxasad4oZ0LmUlI08FAZ/n4+LvWqS7kZ4lsU/EJqvo4vcJIzSdnQAYzadnado4=&lZQ=7nbHudZPJ
request POST http://www.akssbci.org/ehib/
request GET http://www.akssbci.org/ehib/?wP9=THbiExPBObb3BT0tV1vyVOsW1kcYooexWq0IanMH3HjZ6WK0/dCyj/wkkpPahFBbtvE8TtEVfSa/kQmulJOZfrTVnUMiafggIo7B9Aw=&lZQ=7nbHudZPJ
request POST http://www.tuvi.asia/ehib/
request GET http://www.tuvi.asia/ehib/?wP9=vDy28c4A8yAPWILIwETUBA8z4sSN+xPOf98zzSHrFftS0HVhLhVW05NgRwAUMsFJmtYUq5pwW+jkvdeGPEtln/T+SXrsR6l7/O/LehQ=&lZQ=7nbHudZPJ
request POST http://www.voltagemarkets.com/ehib/
request POST http://www.markasch.info/ehib/
request POST http://www.e-lists.live/ehib/
request POST http://www.ortaklarpetshop.com/ehib/
request POST http://www.kongjian666.vip/ehib/
request POST http://www.rufrufsports.com/ehib/
request POST http://www.akssbci.org/ehib/
request POST http://www.tuvi.asia/ehib/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00420000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00425000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00427000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0030c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00316000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0031a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00317000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0030a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00043200', u'virtual_address': u'0x00002000', u'entropy': 7.984354202411505, u'name': u'.text', u'virtual_size': u'0x000430ac'} entropy 7.98435420241 description A section with a high entropy has been found
section {u'size_of_data': u'0x00008200', u'virtual_address': u'0x00048000', u'entropy': 6.825473820631513, u'name': u'.rsrc', u'virtual_size': u'0x0000819c'} entropy 6.82547382063 description A section with a high entropy has been found
entropy 0.998341625207 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000021c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}’õ}’õ}’һ͒ö}’һϒô}’һΒô}’Richõ}’PELoNà  Ò°ð@ð@.text8ÑÒ `
base_address: 0x00400000
process_identifier: 2656
process_handle: 0x0000021c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2656
process_handle: 0x0000021c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}’õ}’õ}’һ͒ö}’һϒô}’һΒô}’Richõ}’PELoNà  Ò°ð@ð@.text8ÑÒ `
base_address: 0x00400000
process_identifier: 2656
process_handle: 0x0000021c
1 1 0
Process injection Process 2548 called NtSetContextThread to modify thread in remote process 2656
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000220
process_identifier: 2656
1 0 0
Process injection Process 2548 resumed a thread in remote process 2656
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2656
1 0 0
dead_host 91.205.173.118:80
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x00000218
suspend_count: 1
process_identifier: 2548
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1921133444
registers.esp: 4321448
registers.edi: 55599902
registers.eax: 25
registers.ebp: 4321464
registers.edx: 112
registers.ebx: 60210720
registers.esi: 59783006
registers.ecx: 66926003
thread_handle: 0x000000e8
process_identifier: 2548
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2548
1 0 0

CreateProcessInternalW

 thread_identifier: 2660
thread_handle: 0x00000220
process_identifier: 2656
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
track: 1
command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000021c
1 1 0

NtGetContextThread

 thread_handle: 0x00000220
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000021c
1 0 0

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}’õ}’õ}’һ͒ö}’һϒô}’һΒô}’Richõ}’PELoNà  Ò°ð@ð@.text8ÑÒ `
base_address: 0x00400000
process_identifier: 2656
process_handle: 0x0000021c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2656
process_handle: 0x0000021c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2656
process_handle: 0x0000021c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000220
process_identifier: 2656
1 0 0

NtResumeThread

 thread_handle: 0x00000220
suspend_count: 1
process_identifier: 2656
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Generic.31870981
FireEye Generic.mg.d52446f23b3f3248
McAfee Artemis!D52446F23B3F
Cylance Unsafe
VIPRE Trojan.Generic.31870981
Sangfor Trojan.Win32.Kryptik.Vj4x
CrowdStrike win/malicious_confidence_70% (W)
Alibaba Trojan:MSIL/Kryptik.e2440328
K7GW Trojan ( 005944cf1 )
K7AntiVirus Trojan ( 005944cf1 )
Cyren W32/ABRisk.THRI-0852
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Kryptik.AFAK
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Trojan.Generic.31870981
Avast Win32:CrypterX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Ngil
Ad-Aware Trojan.Generic.31870981
DrWeb Trojan.DownloaderNET.345
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
Ikarus Backdoor.MSIL.Androm
Webroot W32.Trojan.Gen
Avira TR/AD.Swotter.wrddk
MAX malware (ai score=85)
Antiy-AVL Trojan/Generic.ASMalwS.3E3F
Microsoft TrojanSpy:Win32/Swotter.A!bit
GData Trojan.Generic.31870981
Google Detected
VBA32 OScope.Trojan.MSIL.Crypt.s1
ALYac Trojan.Generic.31870981
TrendMicro-HouseCall TROJ_GEN.R002H0DJI22
Rising Spyware.Swotter!8.13271 (CLOUD)
Fortinet MSIL/GenKryptik.GBFE!tr
AVG Win32:CrypterX-gen [Trj]
Cybereason malicious.e91618
Panda Trj/GdSda.A