Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2023, 7:29 a.m.	June 7, 2023, 7:31 a.m.

Size	183.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`96b0ccf071277093a2e02fd89ae05dcb`
SHA256	`e5504926ca13ec91db212d121bf60bf8c39674465cd825aed21fc59cc7bb9525`
CRC32	`F758306B`
ssdeep	`1536:nmxb1F1ZjhGIBOrPaOYdSkjiRNqOP36r:nSbD71hEbaFSkjiRrPq`
PDB Path	BBbH.pdb
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

BHHh.exe "C:\Users\test22\AppData\Local\Temp\BHHh.exe"
2540

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.67.53.27
oshi.at	A 5.253.86.15	5.253.86.15

IP Address	Status	Action
121.254.136.27	Active	Moloch
164.124.101.2	Active	Moloch
5.253.86.15	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49184 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 5.253.86.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49162 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49178 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49173 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49171 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49181 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49177 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49174 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49179 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49183 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49165 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49184 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49168 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49169 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49172 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49175 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49166 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49167 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49170 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49176 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35
TLSv1 192.168.56.101:49185 5.253.86.15:443	C=US, O=Let's Encrypt, CN=R3	CN=oshi.at	10:a4:69:c3:27:8c:e2:80:38:d4:5a:80:69:80:16:46:5f:8b:19:35

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 7:29 a.m.			0	0
IsDebuggerPresent June 7, 2023, 7:29 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

BBbH.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2023, 7:29 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:29 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

BHHh.exe tried to sleep 157 seconds, actually delayed analysis time by 157 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 7, 2023, 7:29 a.m.	flags: 15 family: 0		111	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Hesv.4!c
MicroWorld-eScan	IL:Trojan.MSILZilla.28293
FireEye	Generic.mg.96b0ccf071277093
McAfee	Artemis!96B0CCF07127
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005a6a281 )
Alibaba	Trojan:MSIL/Generic.7b949b78
K7GW	Trojan-Downloader ( 005a6a281 )
Cybereason	malicious.071277
Arcabit	IL:Trojan.MSILZilla.D6E85
VirIT	Trojan.Win32.Genus.RAX
Cyren	W32/ABRisk.AHLF-6202
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent_AGen.ATA
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
BitDefender	Trojan.GenericKD.67409523
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13c9ab55
Emsisoft	Trojan.GenericKD.67409523 (B)
F-Secure	Heuristic.HEUR/AGEN.1323970
DrWeb	Trojan.DownloaderNET.645
VIPRE	IL:Trojan.MSILZilla.28293
TrendMicro	TROJ_GEN.R014C0DF423
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1323970
MAX	malware (ai score=82)
Antiy-AVL	Trojan/MSIL.Hesv
Microsoft	TrojanDownloader:MSIL/AsyncRAT.L!MTB
ZoneAlarm	HEUR:Trojan.MSIL.Hesv.gen
GData	IL:Trojan.MSILZilla.28293
Google	Detected
AhnLab-V3	Downloader/Win.AsyncRAT.C5433063
BitDefenderTheta	Gen:NN.ZemsilF.36250.lm0@aGc0jUe
ALYac	Gen:Variant.Lazy.349395
VBA32	TScope.Trojan.MSIL
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014C0DF423
Ikarus	Trojan-Spy.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PGN!tr.dldr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

BHHh.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All