Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 17, 2023, 5:22 p.m.	Jan. 17, 2023, 5:24 p.m.

Size	29.1KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`041b031058fedf691096942e9125eb7a`
SHA256	`923dece3727e56390fd3e56305a2e30f0599c6ae7b79877aa2c9823af34fcf9c`
CRC32	`E3F3F769`
ssdeep	`768:3mJCcSycyrsR2vZBZEpYiTPxdFCWRzKYi5FfC3hT6B:3mJCSvvXi7TPxdFa75FfC3hT6B`
PDB Path	C:\Users\Administrator\source\repos\MJnHh\MJnHh\obj\Debug\MJnHh.pdb
Yara	IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

PaymentNotification.pdf.exe "C:\Users\test22\AppData\Local\Temp\PaymentNotification.pdf.exe"
2004

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.19 CNAME identrust.edgesuite.net	23.59.151.243
hirosguide.hu	A 91.227.138.48	91.227.138.48

IP Address	Status	Action
164.124.101.2	Active	Moloch
182.162.106.33	Active	Moloch
91.227.138.48	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 91.227.138.48:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49162 91.227.138.48:443	C=US, O=Let's Encrypt, CN=R3	CN=hirosguide.hu	57:05:44:b3:33:18:ee:7b:c1:e1:97:2a:3a:78:54:7e:99:93:09:20

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 17, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 17, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 17, 2023, 9:40 a.m.			0	0
IsDebuggerPresent Jan. 17, 2023, 9:40 a.m.			0	0
IsDebuggerPresent Jan. 17, 2023, 9:40 a.m.			0	0
IsDebuggerPresent Jan. 17, 2023, 9:40 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\source\repos\MJnHh\MJnHh\obj\Debug\MJnHh.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 17, 2023, 9:40 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 17, 2023, 9:40 a.m.	process_identifier: 2004 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 17, 2023, 9:40 a.m.	flags: 15 family: 0		111	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

MicroWorld-eScan	Trojan.GenericKD.65018986
FireEye	Generic.mg.041b031058fedf69
McAfee	Artemis!041B031058FE
Cylance	Unsafe
K7AntiVirus	Trojan-Downloader ( 0058226a1 )
Alibaba	Trojan:MSIL/Generic.8aa3f8bc
Cybereason	malicious.4446bb
Arcabit	Trojan.Generic.D3E01C6A
Symantec	MSIL.Downloader!gen9
ESET-NOD32	a variant of MSIL/TrojanDownloader.Small.COB
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
BitDefender	Trojan.GenericKD.65018986
Avast	Win32:RATX-gen [Trj]
Emsisoft	Trojan.GenericKD.65018986 (B)
DrWeb	Trojan.DownLoader45.36951
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan[Downloader]/MSIL.Small
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Remcos.bot
Xcitium	Malware@#36b7ippf54dxe
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	Win32.Trojan.Agent.3SVYAO
Google	Detected
AhnLab-V3	Trojan/Win.MSIL.C4539603
MAX	malware (ai score=81)
Malwarebytes	Trojan.MalPack.MSIL
TrendMicro-HouseCall	TROJ_GEN.R002H0DAG23
Rising	Downloader.Small!8.B41 (CLOUD)
Yandex	Trojan.Igent.bZry2H.2
Ikarus	Trojan-Downloader.MSIL.Tiny
Fortinet	MSIL/Agent.NWG!tr.dldr
AVG	Win32:RATX-gen [Trj]
Panda	Trj/Chgt.AD

PaymentNotification.pdf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All