Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 7, 2023, 9:25 a.m.	Aug. 7, 2023, 9:36 a.m.

Size	2.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c895da0796fc8d1b87c7212ef1e5b0b7`
SHA256	`38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689`
CRC32	`E327CFA9`
ssdeep	`49152:52bivgTXZviuMgqQMVylgJzXW/AlxCaOzn3oHuIhv3O6AlyWCpIW+l:lgTXtiuMgqQWX5XIqQxj3BIx+6aSWJ`
Yara	UPX_Zero - UPX packed file Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature themida_packer - themida packer IsPE32 - (no description)

BR.exe "C:\Users\test22\AppData\Local\Temp\BR.exe"
1212

Name	Response	Post-Analysis Lookup
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	172.67.34.170

IP Address	Status	Action
103.100.211.218	Active	Moloch
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch
95.143.190.57	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 172.67.34.170:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49165 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 7, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 7, 2023, 9:25 a.m.			0	0
IsDebuggerPresent Aug. 7, 2023, 9:25 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 7, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9ef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9ef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 7, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 7, 2023, 9:25 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section
section	.themida
section	.boot

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Aug. 7, 2023, 9:25 a.m.	stacktrace: br+0x428e54 @ 0x828e54 br+0x422d34 @ 0x822d34 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc e9 5f 43 fd 8a 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1638148 registers.edi: 5431296 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 2006021163 registers.ecx: 795410432	1
__exception__ Aug. 7, 2023, 9:25 a.m.	stacktrace: exception.instruction_r: ed e9 20 6d 06 00 c3 e9 07 89 01 00 14 7e 70 1d exception.symbol: br+0x446930 exception.instruction: in eax, dx exception.module: BR.exe exception.exception_code: 0xc0000096 exception.offset: 4483376 exception.address: 0x846930 registers.esp: 1638268 registers.edi: 7246527 registers.eax: 1750617430 registers.ebp: 5431296 registers.edx: 2130532438 registers.ebx: 0 registers.esi: 6605385 registers.ecx: 20	1
__exception__ Aug. 7, 2023, 9:25 a.m.	stacktrace: exception.instruction_r: ed e9 8a f7 06 00 9d 6b b3 24 6a 00 be a3 e1 c2 exception.symbol: br+0x42e339 exception.instruction: in eax, dx exception.module: BR.exe exception.exception_code: 0xc0000096 exception.offset: 4383545 exception.address: 0x82e339 registers.esp: 1638268 registers.edi: 7246527 registers.eax: 1447909480 registers.ebp: 5431296 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6605385 registers.ecx: 10	1
__exception__ Aug. 7, 2023, 9:26 a.m.	stacktrace: 0x5974cac 0x5974c68 0x4ef65b2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b exception.instruction: mov ecx, dword ptr [esi + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5976212 registers.esp: 1635448 registers.edi: 44450860 registers.eax: 93807104 registers.ebp: 1635460 registers.edx: 44450860 registers.ebx: 326 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 9:26 a.m.	stacktrace: 0x5974cac 0x5974c68 0x4ef65b2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b exception.instruction: mov ecx, dword ptr [esi + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5976212 registers.esp: 1635448 registers.edi: 44606756 registers.eax: 44606756 registers.ebp: 1635460 registers.edx: 44606756 registers.ebx: 326 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 7, 2023, 9:27 a.m.	stacktrace: 0x5974cac 0x5974c68 0x4ef65b2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x73f62652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x73f7264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x73f72e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x740274ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x74027610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x740b1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x740b1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x740b1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x740b416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 exception.instruction_r: 8b 4e 04 8d 83 c6 fe ff ff 8b 15 44 38 9f 03 3b exception.instruction: mov ecx, dword ptr [esi + 4] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5976212 registers.esp: 1635448 registers.edi: 44748280 registers.eax: 44748280 registers.ebp: 1635460 registers.edx: 44748280 registers.ebx: 326 registers.esi: 0 registers.ecx: 0	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://pastebin.com/raw/V1mwGj8h

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/V1mwGj8h

Allocates read-write-execute memory (usually to unpack itself) (50 out of 131 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75443000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7581c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7586f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 7, 2023, 9:25 a.m.	process_identifier: 1212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 7, 2023, 9:26 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00043400', u'virtual_address': u'0x00002000', u'entropy': 7.986677836534138, u'name': u' ', u'virtual_size': u'0x00076000'}

entropy

7.98667783653

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00016e00', u'virtual_address': u'0x00078000', u'entropy': 7.943097064600425, u'name': u' ', u'virtual_size': u'0x00090bba'}

entropy

7.9430970646

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00241800', u'virtual_address': u'0x004e4000', u'entropy': 7.938139634138896, u'name': u'.boot', u'virtual_size': u'0x00241800'}

entropy

7.93813963414

description

A section with a high entropy has been found

entropy

0.954943679599

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (2 events)

host	103.100.211.218
host	95.143.190.57

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA Aug. 7, 2023, 9:25 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 7, 2023, 9:25 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 7, 2023, 9:25 a.m.	stacktrace: exception.instruction_r: ed e9 8a f7 06 00 9d 6b b3 24 6a 00 be a3 e1 c2 exception.symbol: br+0x42e339 exception.instruction: in eax, dx exception.module: BR.exe exception.exception_code: 0xc0000096 exception.offset: 4383545 exception.address: 0x82e339 registers.esp: 1638268 registers.edi: 7246527 registers.eax: 1447909480 registers.ebp: 5431296 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6605385 registers.ecx: 10	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.143.190.57:15647

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.trYj
MicroWorld-eScan	Trojan.GenericKD.68411144
CAT-QuickHeal	Trojanpws.Msil
McAfee	Artemis!C895DA0796FC
Malwarebytes	Backdoor.Bot
VIPRE	Trojan.GenericKD.68411144
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	TrojanPSW:MSIL/Reline.7c6fe276
K7GW	Riskware ( 00584baa1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D413DF08
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	MSIL/Agent.CKL
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan-PSW.MSIL.Reline.ulk
BitDefender	Trojan.GenericKD.68411144
NANO-Antivirus	Virus.Win32.Gen-Crypt.ccnc
Avast	Win32:DropperX-gen [Drp]
Tencent	Malware.Win32.Gencirc.13eb3e80
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/RedLine.tzrht
DrWeb	Trojan.PWS.RedLine.99
TrendMicro	TrojanSpy.Win32.REDLINE.YXDG3Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.c895da0796fc8d1b
Emsisoft	Trojan.GenericKD.68411144 (B)
Ikarus	Trojan.RedLine
Webroot	W32.Trojan.GenKD
Avira	TR/RedLine.tzrht
MAX	malware (ai score=85)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Ransom.Win32.Wacatac.cl
Xcitium	Malware@#1x2vrmqtf2w4l
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-PSW.MSIL.Reline.ulk
GData	Trojan.GenericKD.68411144
Google	Detected
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36348.UE0@aiblBPni
ALYac	Trojan.GenericKD.68411144
VBA32	BScope.TrojanPSW.MSIL.Reline
Cylance	unsafe
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDG3Z

BR.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All