Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 26, 2023, 2:07 p.m.	June 26, 2023, 2:09 p.m.

Size	642.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f01bdbc4e97c2a1886094c3fe2092448`
SHA256	`1ba924a1929390c208baacddcfa9ad01b115234fb5e699848bbefa2144c6f9f9`
CRC32	`643FDD0B`
ssdeep	`12288:gfM2iNh4/mNUA/JJpEEomkjHkapBLcypPddhK3OuhKBVInxoW:GM1D4/QUsEEcjEmBLcytxK3OuofInxoW`
PDB Path	ljbT.pdb
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

rPAGO_4536222.exe "C:\Users\test22\AppData\Local\Temp\rPAGO_4536222.exe"
3016
- rPAGO_4536222.exe "C:\Users\test22\AppData\Local\Temp\rPAGO_4536222.exe"
  2440

Name	Response	Post-Analysis Lookup
smtp.selcoh.hn	CNAME cwp.catics.online A 142.44.226.128	142.44.226.128

IP Address	Status	Action
142.44.226.128	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 142.44.226.128:587 -> 192.168.56.102:49165	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.102:49165 -> 142.44.226.128:587	2030171	ET MALWARE AgentTesla Exfil Via SMTP	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 26, 2023, 2:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 26, 2023, 2:07 p.m.			0	0
IsDebuggerPresent June 26, 2023, 2:07 p.m.			0	0
IsDebuggerPresent June 26, 2023, 2:08 p.m.			0	0
IsDebuggerPresent June 26, 2023, 2:08 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 26, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 26, 2023, 2:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2df0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

ljbT.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 26, 2023, 2:07 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 26, 2023, 2:08 p.m.	stacktrace: 0x6908e4 0x6907ef 0x690751 0x690083 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d12652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d2264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73d22e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73dd74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73dd7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73e61dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73e61e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73e61f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73e6416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x743bf5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x693bcd registers.esp: 1633992 registers.edi: 1634016 registers.eax: 0 registers.ebp: 1634028 registers.edx: 195 registers.ebx: 38994176 registers.esi: 39006748 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 26, 2023, 2:08 p.m.

stacktrace:

0x6908e4
0x6907ef
0x690751
0x690083
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73d12652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73d2264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73d22e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x73dd74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73dd7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73e61dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73e61e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73e61f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73e6416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x743bf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x746c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x746c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x693bcd
registers.esp: 1633992
registers.edi: 1634016
registers.eax: 0
registers.ebp: 1634028
registers.edx: 195
registers.ebx: 38994176
registers.esi: 39006748
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:07 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 3016 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d12000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 26, 2023, 2:08 p.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a0000', u'virtual_address': u'0x00002000', u'entropy': 7.796994890272728, u'name': u'.text', u'virtual_size': u'0x0009feb8'}

entropy

7.79699489027

description

A section with a high entropy has been found

entropy

0.996884735202

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 26, 2023, 2:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 26, 2023, 2:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0	0

A process attempted to delay the analysis task. (1 event)

description

rPAGO_4536222.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬*dà0¦ @ @@¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName143f0303-f818-4f9b-ace3-039095a5a82a.exe(LegalCopyright \|)OriginalFilename143f0303-f818-4f9b-ace3-039095a5a82a.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: 6 base_address: 0x0042e000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2440 process_handle: 0x000002d0	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬*dà0¦ @ @@¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x000002d0	1	1	0

Harvests credentials from local email clients (6 events)

file	C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 called NtSetContextThread to modify thread in remote process 2440
NtSetContextThread June 26, 2023, 2:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002cc process_identifier: 2440	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 resumed a thread in remote process 2440
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2440	1	0	0

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread June 26, 2023, 2:07 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread June 26, 2023, 2:07 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread June 26, 2023, 2:07 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 3016	1	0
CreateProcessInternalW June 26, 2023, 2:08 p.m.	thread_identifier: 2484 thread_handle: 0x000002cc process_identifier: 2440 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\rPAGO_4536222.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\rPAGO_4536222.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtGetContextThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002cc	1	0
NtAllocateVirtualMemory June 26, 2023, 2:08 p.m.	process_identifier: 2440 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¬*dà0¦ @ @@¦KÀFà H.text `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: base_address: 0x00402000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName143f0303-f818-4f9b-ace3-039095a5a82a.exe(LegalCopyright \|)OriginalFilename143f0303-f818-4f9b-ace3-039095a5a82a.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: 6 base_address: 0x0042e000 process_identifier: 2440 process_handle: 0x000002d0	1	1
WriteProcessMemory June 26, 2023, 2:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2440 process_handle: 0x000002d0	1	1
NtSetContextThread June 26, 2023, 2:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4368014 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002cc process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 3016	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000280 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000003c4 suspend_count: 1 process_identifier: 2440	1	0
NtResumeThread June 26, 2023, 2:08 p.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 2440	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.Win32.Taskun.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!F01BDBC4E97C
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a74e81 )
K7GW	Trojan ( 005a74e81 )
CrowdStrike	win/malicious_confidence_90% (W)
BitDefenderTheta	Gen:NN.ZemsilF.36270.Om0@aCRzQ3k
Cyren	W32/MSIL_Agent.FPI.gen!Eldorado
Symantec	Trojan.Gen.2
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan-PSW.MSIL.Agensla.gen
Avast	TrojanX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	UDS:Trojan-PSW.MSIL.Agensla.gen
Google	Detected
Malwarebytes	MachineLearning/Anomalous.94%
Panda	Trj/Chgt.AD
Rising	Malware.Obfus/MSIL@AI.88 (RDM.MSIL2:6H2tdqpa3HqzCOSfwllHew)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AGUH!tr
AVG	TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

rPAGO_4536222.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All