Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 11, 2023, 10:27 a.m.	March 11, 2023, 10:40 a.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f9848320841dff02edb5938d0854c4be`
SHA256	`35660ddce41395b431b2b65aab34f142807cb4281e4b0a2e9673301278034ff8`
CRC32	`2598CC4C`
ssdeep	`98304:ZemYRF9KAR+oj+kQf4KnqI8VV4xqxVT9111UoQDKBfcxTgb8pgXD:gCARpj+11MqedFMDTAxXD`
PDB Path	C:\Users\Ð¼Ð°ÑÐ¸Ñ\Desktop\Debug\payload\obj\Debug\payload.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

payload.exe "C:\Users\test22\AppData\Local\Temp\payload.exe"
516
- runtime-bind.exe "C:\Users\test22\AppData\Local\Temp\runtime-bind.exe"
  2160
- visual-c++.exe "C:\Users\test22\AppData\Local\Temp\visual-c++.exe"
  2200

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 125.253.92.50 A 131.153.76.130	125.253.92.50
anaida.evisyn.lol	A 172.67.149.91 A 104.21.41.183	172.67.149.91

IP Address	Status	Action
172.67.191.103	Active	Moloch
104.21.41.183	Active	Moloch
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49168 -> 104.21.41.183:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49169 125.253.92.50:80	None	None	None
TLS 1.3 192.168.56.103:49167 125.253.92.50:80	None	None	None
TLS 1.3 192.168.56.103:49168 104.21.41.183:443	None	None	None

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 11, 2023, 10:27 a.m.			0	0
IsDebuggerPresent March 11, 2023, 10:27 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Ð¼Ð°ÑÐ¸Ñ\Desktop\Debug\payload\obj\Debug\payload.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 11, 2023, 10:27 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0087b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00877000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0085c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0086a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00867000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 11, 2023, 10:27 a.m.	process_identifier: 516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0074c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\runtime-bind.exe
file	C:\Users\test22\AppData\Local\Temp\visual-c++.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\runtime-bind.exe
file	C:\Users\test22\AppData\Local\Temp\visual-c++.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003bd400', u'virtual_address': u'0x00002000', u'entropy': 7.935517984113838, u'name': u'.text', u'virtual_size': u'0x003bd3b4'}

entropy

7.93551798411

description

A section with a high entropy has been found

entropy

0.998305305697

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.67.191.103

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectNet.01
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Ursu.578704
ClamAV	Win.Malware.Trojanx-9977539-0
FireEye	Generic.mg.f9848320841dff02
ALYac	Gen:Variant.Ursu.578704
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Ursu.578704
Arcabit	Trojan.Ursu.D8D490
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.DQA
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:Win64/CoinMiner.a3c4dbf0
Avast	Win64:Evo-gen [Trj]
Rising	Stealer.Agent!8.C2 (CLOUD)
DrWeb	Trojan.Siggen20.988
VIPRE	Gen:Variant.Ursu.578704
TrendMicro	TROJ_GEN.R002C0DCA23
McAfee-GW-Edition	GenericRXUX-SL!F9848320841D
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Webroot	Trojan.Dropper.Gen
Avira	TR/Dropper.Gen
Microsoft	Trojan:Win64/CoinMiner.DC!MTB
ViRobot	Trojan.Win.Z.Ursu.3928576
GData	MSIL.Malware.Coinminer.69D8CD
Google	Detected
AhnLab-V3	Backdoor/Win.Generic.C5321700
Acronis	suspicious
McAfee	Artemis!F9848320841D
MAX	malware (ai score=81)
Malwarebytes	Trojan.ShellCode
TrendMicro-HouseCall	TROJ_GEN.R002C0DCA23
Tencent	Msil.Trojan-Spy.Stealer.Ddhl
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZemsilF.36308.Vt0@a8imLbp
AVG	Win64:Evo-gen [Trj]
Panda	Trj/CI.A

payload.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All