Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 30, 2023, 4:35 p.m.	May 30, 2023, 4:37 p.m.

Size	711.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c72b6d0fa5da7249b6ddffe1b3d83363`
SHA256	`a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552`
CRC32	`817D1D8B`
ssdeep	`12288:6BOJA0xPmangAfwVUYArnfndGKCXlbgNe6s/buvjwbuHSd9:6t0xua1fwVrEdGKC27s/4syS`
Yara	Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win_Trojan_Formbook_Zero - Used Formbook Is_DotNET_EXE - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques hide_executable_file - Hide executable file PE_Header_Zero - PE File Signature IsPE32 - (no description)

QT367001.exe "C:\Users\test22\AppData\Local\Temp\QT367001.exe"
3048
- QT367001.exe "C:\Users\test22\AppData\Local\Temp\QT367001.exe"
  1604

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.246.220.85	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49167 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 185.246.220.85:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 185.246.220.85:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 185.246.220.85:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 30, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 30, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 30, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 30, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 30, 2023, 4:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 30, 2023, 4:35 p.m.			0	0
IsDebuggerPresent May 30, 2023, 4:35 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 30, 2023, 4:35 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 30, 2023, 4:36 p.m.	stacktrace: qt367001+0x12fdd @ 0x412fdd qt367001+0x1296e @ 0x41296e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec exception.symbol: qt367001+0x2b41 exception.instruction: mov cl, byte ptr [edx] exception.module: QT367001.exe exception.exception_code: 0xc0000005 exception.offset: 11073 exception.address: 0x402b41 registers.esp: 51837384 registers.edi: 41057663 registers.eax: 51839008 registers.ebp: 51837392 registers.edx: 10805248 registers.ebx: 51839008 registers.esi: 222170894 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, HTTP version 1.0 used, Connection to IP address

suspicious_request

POST http://185.246.220.85/seth1/five/fre.php

Performs some HTTP requests (1 event)

request

POST http://185.246.220.85/seth1/five/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://185.246.220.85/seth1/five/fre.php

Allocates read-write-execute memory (usually to unpack itself) (47 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:35 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006cf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x047c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 3048 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05a78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW May 30, 2023, 4:36 p.m.	number_of_free_clusters: 2226946 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW May 30, 2023, 4:36 p.m.	number_of_free_clusters: 2226946 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

Steals private information from local Internet browsers (19 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file	C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file	C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW May 30, 2023, 4:36 p.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe flags: 1 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\qt367001.exe newfilepath: C:\Users\test22\AppData\Roaming\41D896\6D6F4D.exe oldfilepath: C:\Users\test22\AppData\Local\Temp\QT367001.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b1000', u'virtual_address': u'0x00002000', u'entropy': 7.269560678710655, u'name': u'.text', u'virtual_size': u'0x000b0fc0'}

entropy

7.26956067871

description

A section with a high entropy has been found

entropy

0.996481351161

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 30, 2023, 4:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 30, 2023, 4:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.ibsensoftware.com/

Yara rule detected in process memory (13 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Win32 PWS Loki	rule	Win32_PWS_Loki_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess May 30, 2023, 4:36 p.m.	status_code: 0xffffffff process_identifier: 1624 process_handle: 0x00000278		0	0
NtTerminateProcess May 30, 2023, 4:36 p.m.	status_code: 0xffffffff process_identifier: 1624 process_handle: 0x00000278	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

185.246.220.85

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 1624 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268		3221225496	0
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 1604 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0	0

Harvests credentials from local FTP client softwares (22 events)

file	C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file	C:\Windows\wcx_ftp.ini
file	C:\Users\test22\wcx_ftp.ini
file	C:\Windows\32BitFtp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Program Files (x86)\FileZilla\Filezilla.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry	HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry	HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry	HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry	HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry	HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry	HKEY_CURRENT_USER\Software\Martin Prikryl
registry	HKEY_LOCAL_MACHINE\Software\Martin Prikryl

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 manipulating memory of non-child process 1624
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 1624 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268		3221225496	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: TÍ<¨K¢`Ý;U base_address: 0x0041a000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1604 process_handle: 0x0000027c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 1604 process_handle: 0x0000027c	1	1	0

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 called NtSetContextThread to modify thread in remote process 1604
NtSetContextThread May 30, 2023, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 1604	1	0	0

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3048 resumed a thread in remote process 1604
NtResumeThread May 30, 2023, 4:36 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 1604	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread May 30, 2023, 4:35 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3048	1	0
NtResumeThread May 30, 2023, 4:35 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3048	1	0
NtResumeThread May 30, 2023, 4:35 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 3048	1	0
NtResumeThread May 30, 2023, 4:36 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3048	1	0
CreateProcessInternalW May 30, 2023, 4:36 p.m.	thread_identifier: 1632 thread_handle: 0x00000264 process_identifier: 1624 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\QT367001.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\QT367001.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000268	1	1
NtGetContextThread May 30, 2023, 4:36 p.m.	thread_handle: 0x00000264	1	0
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 1624 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000268		3221225496
CreateProcessInternalW May 30, 2023, 4:36 p.m.	thread_identifier: 1568 thread_handle: 0x00000278 process_identifier: 1604 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\QT367001.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\QT367001.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtGetContextThread May 30, 2023, 4:36 p.m.	thread_handle: 0x00000278	1	0
NtAllocateVirtualMemory May 30, 2023, 4:36 p.m.	process_identifier: 1604 region_size: 663552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000027c	1	0
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌÍxþ¬¬¬Ô¬K£K¬ ¬=2ó¬¬¬Ô¬¬Ç¬Ô¬=2÷ó¬=2È¬Rich¬PELlWà8¢Þ9P@ ÐdP\.textõ68 `.rdata`@PB<@@.data$^ ~@À.x À base_address: 0x00400000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: base_address: 0x00401000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: base_address: 0x00415000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: TÍ<¨K¢`Ý;U base_address: 0x0041a000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: base_address: 0x004a0000 process_identifier: 1604 process_handle: 0x0000027c	1	1
WriteProcessMemory May 30, 2023, 4:36 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1604 process_handle: 0x0000027c	1	1
NtSetContextThread May 30, 2023, 4:36 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4274654 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000278 process_identifier: 1604	1	0
NtResumeThread May 30, 2023, 4:36 p.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 1604	1	0
NtResumeThread May 30, 2023, 4:36 p.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 1604	1	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Agensla.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.Siggen3.29618
MicroWorld-eScan	Trojan.GenericKD.66825918
FireEye	Generic.mg.c72b6d0fa5da7249
ALYac	Trojan.GenericKD.66825918
Malwarebytes	Trojan.MalPack.PNG.Generic
Sangfor	Infostealer.Win32.Agent.Vzg6
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	TrojanPSW:MSIL/Agensla.da954fae
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.a3aa0a
Arcabit	Trojan.Generic.D3FBAEBE
VirIT	Trojan.Win32.GenusB.DGFV
Cyren	W32/MSIL_Troj.COU.gen!Eldorado
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/GenKryptik.GJLU
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.66825918
Avast	Win32:TrojanX-gen [Trj]
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:kdQTY8dgtqQBhmImr1blWA)
Emsisoft	Trojan.GenericKD.66825918 (B)
F-Secure	Trojan.TR/AD.LokiBot.epnhd
VIPRE	Trojan.GenericKD.66825918
TrendMicro	TROJ_GEN.R002C0DE423
McAfee-GW-Edition	BehavesLike.Win32.AgentTesla.bc
Trapmine	suspicious.low.ml.score
Sophos	Troj/Krypt-XS
Ikarus	Trojan.MSIL.Krypt
Webroot	W32.Malware.Gen
Avira	TR/AD.LokiBot.epnhd
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Gridinsoft	Ransom.Win32.LokiBot.bot
Microsoft	Trojan:MSIL/AgentTesla.ABUN!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Trojan.GenericKD.66825918
Google	Detected
AhnLab-V3	Trojan/Win.MSILKrypt.R576404
McAfee	Artemis!C72B6D0FA5DA
TACHYON	Trojan-PWS/W32.DN-AgentTesla.728064.C
VBA32	TScope.Trojan.MSIL
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DE423
Tencent	Msil.Trojan-QQPass.QQRob.Iflw
SentinelOne	Static AI - Suspicious PE

QT367001.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All