popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Sceatt.exe

RedLine Stealer Confuser .NET PWS PE File PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 4, 2023, 5:34 p.m. June 4, 2023, 5:47 p.m.
Size 926.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 a1ed05e1152357a287ad4c4b4ddc300e
SHA256 f37fed756590b0b03fb03dc3802b589cc5751346914048faab47b003bae832bb
CRC32 96512025
ssdeep 12288:Sm8VMj5EcETVXfz0kSn69pjVvMEeCxeCadKeHuXq97HvBjTjCdxBT4ZbCAAb7BhT:SxKcSup5UrUF3
Yara
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • ConfuserEx_Zero - Confuser .NET
  • RedLine_Stealer_Zero - RedLine stealer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
77.91.68.62 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a30000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00410000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00372000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0038c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
host 77.91.68.62
Lionic Trojan.Win32.Stealer.12!c
Elastic malicious (high confidence)
DrWeb Trojan.PWS.RedLineNET.7
MicroWorld-eScan Trojan.GenericKD.67367448
McAfee Artemis!A1ED05E11523
Malwarebytes Crypt.Trojan.MSIL.DDS
VIPRE Gen:Variant.MSILHeracles.82025
Sangfor Spyware.Msil.Kryptik.Vkpy
K7AntiVirus Trojan ( 005a59f41 )
Alibaba TrojanSpy:MSIL/Stealer.6266712d
K7GW Trojan ( 005a59f41 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.MSILHeracles.D14069
BitDefenderTheta Gen:NN.ZemsilF.36250.5m0@auees4c
Cyren W32/MSIL_Kryptik.JIC.gen!Eldorado
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of MSIL/Kryptik.AIVB
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Malware.Trojanx-9862538-0
Kaspersky HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender Trojan.GenericKD.67367448
Avast Win32:SpywareX-gen [Trj]
Tencent Trojan-Spy.MSIL.Stealer.16000664
Emsisoft Gen:Variant.MSILHeracles.82025 (B)
F-Secure Heuristic.HEUR/AGEN.1305469
TrendMicro Trojan.Win32.AMADEY.YXDFDZ
McAfee-GW-Edition BehavesLike.Win32.Generic.dm
Trapmine suspicious.low.ml.score
FireEye Generic.mg.a1ed05e1152357a2
Sophos Troj/MSILIn-BEE
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1305469
MAX malware (ai score=83)
Antiy-AVL Trojan/MSIL.Kryptik
Gridinsoft Malware.Win32.RedLine.bot
Microsoft Trojan:MSIL/Heracles.MBDD!MTB
ZoneAlarm HEUR:Trojan-Spy.MSIL.Stealer.gen
GData Win32.Trojan-Stealer.Cordimik.K4UAXQ
Google Detected
ALYac Gen:Variant.MSILHeracles.82025
VBA32 CIL.HeapOverride.Heur
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXDFDZ
Rising Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:L3nrqRZ9aDyLpm78qBQMVw)
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/GenKryptik.GJTI!tr