Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 8, 2023, 9:16 a.m.	June 8, 2023, 9:25 a.m.

Size	488.5KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`66108176e22e6f9513a62c76f2185468`
SHA256	`e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf`
CRC32	`04184839`
ssdeep	`12288:oeV56CrxH8gnW6yhQNmPLXWu38n4RQgsAlVF+LpnN7TihIHVQMfT:deCrxsvh/Wusn4RHZvF+lnd/`
PDB Path	NBB872.pdb
Yara	IsPE64 - (no description) ConfuserEx_Zero - Confuser .NET PE_Header_Zero - PE File Signature

HH.exe "C:\Users\test22\AppData\Local\Temp\HH.exe"
2628
- aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2488

Name	Response	Post-Analysis Lookup
pekonomia.duckdns.org	A 192.169.69.26	192.169.69.26

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.169.69.26	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 192.168.56.101:49170 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 192.169.69.26:30861	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 8, 2023, 9:09 a.m.			0	0
IsDebuggerPresent June 8, 2023, 9:09 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

NBB872.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2023, 9:09 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

pekonomia.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000850000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef406b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9422a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9423c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94351000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94353000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94354000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94306000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9422b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94358000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94359000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9427c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:09 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9424d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:11 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9423a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 8, 2023, 9:11 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9435b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00079a00', u'virtual_address': u'0x00002000', u'entropy': 7.966829562881021, u'name': u'.text', u'virtual_size': u'0x00079803'}

entropy

7.96682956288

description

A section with a high entropy has been found

entropy

0.996926229508

description

Overall entropy of this PE file is high

Yara rule detected in process memory (21 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	browser info stealer	rule	infoStealer_browser_Zero
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 8, 2023, 9:11 a.m.	process_identifier: 2488 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001d8	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x0000000000400000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x000000000046f000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x0000000000475000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0000000000476000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x0000000000400000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2628 resumed a thread in remote process 2488
NtResumeThread June 8, 2023, 9:11 a.m.	thread_handle: 0x000000000000015c suspend_count: 1 process_identifier: 2488	1	0	0

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2628	1	0
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x00000000000001e4 suspend_count: 1 process_identifier: 2628	1	0
NtGetContextThread June 8, 2023, 9:09 a.m.	thread_handle: 0x00000000000000d0	1	0
NtGetContextThread June 8, 2023, 9:09 a.m.	thread_handle: 0x00000000000000d0	1	0
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x00000000000000d0 suspend_count: 1 process_identifier: 2628	1	0
NtGetContextThread June 8, 2023, 9:09 a.m.	thread_handle: 0x000000000000013c	1	0
NtGetContextThread June 8, 2023, 9:09 a.m.	thread_handle: 0x000000000000013c	1	0
NtResumeThread June 8, 2023, 9:09 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2628	1	0
CreateProcessInternalW June 8, 2023, 9:11 a.m.	thread_identifier: 2492 thread_handle: 0x000000000000015c process_identifier: 2488 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000000000001d8	1	1
NtAllocateVirtualMemory June 8, 2023, 9:11 a.m.	process_identifier: 2488 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000000000001d8	1	0
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ì!¨ier¨ier¨ierõr»ierõrierõr¶ier¡ár©ier6É¢rªier7fs²ier7`sier7asier¡ör±ier¨idrher7lsÊier7r©ier7gs©ierRich¨ierPELpAdà\ú2p@èÍp<KÀ¬:²8³¸²@pÈ.textkZ\ `.rdataÜwpx`@@.data\ðØ@À.tls Pæ@À.gfids0`è@@.rsrc<KpLì@@.reloc¬:À<8@B base_address: 0x0000000000400000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x0000000000401000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x0000000000457000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ µE¸EµE..ñF\G\G\G\G\G\G\G\G\GñF`G`G`G`G`G`G`GñFÿÿÿÿ¸E¨òF¨òF¨òF¨òF¨òFñF»E¼EØÊEèñF÷FCPSTPDT°òFðòFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ÷Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ø¥FQ<A¦F÷>A¦F<AvE.?AVtype_info@@vE.?AVbad_alloc@std@@vE.?AVbad_array_new_length@std@@vE.?AVlogic_error@std@@vE.?AVlength_error@std@@vE.?AVout_of_range@std@@vE.?AV_Facet_base@std@@vE.?AV_Locimp@locale@std@@vE.?AVfacet@locale@std@@vE.?AU_Crt_new_delete@std@@vE.?AVcodecvt_base@std@@vE.?AUctype_base@std@@vE.?AV?$ctype@D@std@@vE.?AV?$codecvt@DDU_Mbstatet@@@std@@vE.?AVbad_exception@std@@vE.HvE.?AVfailure@ios_base@std@@vE.?AVruntime_error@std@@vE.?AVsystem_error@std@@vE.?AVbad_cast@std@@vE.?AV_System_error@std@@vE.?AVexception@std@@ base_address: 0x000000000046f000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x0000000000475000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: V$;$>))>h)>ÙØ>Û\|&Êkk_)ÞãÍã AHA>>Ðu#u")î(^ø¥òîWFCùCùi>lÀ©ªQÏB/öC 'vµ¹E*$L<T b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0000000000476000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x0000000000477000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: base_address: 0x000000000047c000 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
WriteProcessMemory June 8, 2023, 9:11 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 2488 process_handle: 0x00000000000001d8	1	1
NtResumeThread June 8, 2023, 9:11 a.m.	thread_handle: 0x000000000000015c suspend_count: 1 process_identifier: 2488	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Agensla.4!c
MicroWorld-eScan	Trojan.GenericKD.67410429
FireEye	Trojan.GenericKD.67410429
Malwarebytes	Trojan.Crypt
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005944cf1 )
Alibaba	TrojanPSW:MSIL/Agensla.dcc9b46b
K7GW	Trojan ( 005944cf1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D40499FD
VirIT	Trojan.Win64.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AFAK
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.67410429
Avast	Win64:PWSX-gen [Trj]
Tencent	Win32.Trojan.Agen.Nsmw
Emsisoft	Trojan.GenericKD.67410429 (B)
F-Secure	Heuristic.HEUR/AGEN.1326434
DrWeb	Trojan.DownloaderNET.345
VIPRE	Trojan.GenericKD.67410429
McAfee-GW-Edition	BehavesLike.Win64.Generic.gc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.MSIL.AGensla
Avira	HEUR/AGEN.1326434
Gridinsoft	Trojan.Win64.Remcos.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
GData	Win32.Backdoor.Remcos.8VU6XK
Google	Detected
AhnLab-V3	Trojan/Win.PWSX-gen.C5438140
McAfee	Artemis!66108176E22E
MAX	malware (ai score=80)
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DF623
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:Xvlm0nsmSHgGW3sw84vf2w)
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AGEK!tr
AVG	Win64:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

HH.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All