Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2023, 7:30 a.m.	June 7, 2023, 7:38 a.m.

Size	16.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`543e32d9617d5851aef813fe77310a84`
SHA256	`3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5`
CRC32	`54236679`
ssdeep	`384:H0YzTOhDd3LDRyEybkJ5nf9vwEG9/XwJwq6uJfq2GSLwqWJ:UHVd3Lty7b2542GLJ`
PDB Path	BBbH.pdb
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

BBHhHhB.exe "C:\Users\test22\AppData\Local\Temp\BBHhHhB.exe"
2640

Name	Response	Post-Analysis Lookup
hydramecs.com	A 45.12.253.105	45.12.253.105

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.12.253.105	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49178 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49182 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 45.12.253.105:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 7:30 a.m.			0	0
IsDebuggerPresent June 7, 2023, 7:30 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

BBbH.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2023, 7:30 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 7:30 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

BBHhHhB.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 7, 2023, 7:30 a.m.	flags: 15 family: 0		111	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Tedy.4!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Gen:Variant.Tedy.373567
FireEye	Generic.mg.543e32d9617d5851
McAfee	Artemis!543E32D9617D
Malwarebytes	Trojan.Crypt.MSIL
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 005a6a971 )
Alibaba	Backdoor:MSIL/Crysan.08837fa4
K7GW	Trojan-Downloader ( 005a6a971 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Tedy.D5B33F
BitDefenderTheta	Gen:NN.ZemsilF.36250.bm0@aSIUN4l
VirIT	Trojan.Win32.Genus.RAX
Cyren	W32/ABRisk.KCTM-4890
Symantec	Trojan Horse
ESET-NOD32	MSIL/TrojanDownloader.Tiny.CGQ
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	Gen:Variant.Tedy.373567
Emsisoft	Trojan.GenericKD.67409276 (B)
TrendMicro	TROJ_GEN.R002C0XF423
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1323970
MAX	malware (ai score=84)
Antiy-AVL	Trojan[Backdoor]/MSIL.Crysan
Gridinsoft	Trojan.Win32.AsyncRAT.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Gen:Variant.Tedy.373567
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5437168
VBA32	TScope.Trojan.MSIL
DeepInstinct	MALICIOUS
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0XF423
Tencent	Msil.Backdoor.Crysan.Ngil
Ikarus	Trojan.Inject
Fortinet	PossibleThreat
Panda	Trj/Chgt.AD

BBHhHhB.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All