Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 24, 2023, 11:17 a.m.	Sept. 24, 2023, 11:21 a.m.

Size	364.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9379586a4b035658785cc87c8292d6df`
SHA256	`7c6b4b0f3a0ebcf30390f2332379a1ff18062f9d5595adb6e628f336a2b56a0b`
CRC32	`282E3D81`
ssdeep	`6144:K146fuYXChoQTjlFgLuCY1dRuAOaPAS1N54CRNAsVFwhFuOfRH4MIS09Fvw8y0:KCYzXChdTbv1buUAS1RRNAsVFTOZHx44`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

exto.exe "C:\Users\test22\AppData\Local\Temp\exto.exe"
2564
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
5.42.92.211	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 5.42.92.211:80	2047625	ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 5.42.92.211:80	2018358	ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.syhua

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://5.42.92.211/loghub/master

Performs some HTTP requests (1 event)

request

POST http://5.42.92.211/loghub/master

Sends data using the HTTP POST Method (1 event)

request

POST http://5.42.92.211/loghub/master

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 24, 2023, 11:17 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75d41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2023, 11:17 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75e61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 24, 2023, 11:17 a.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76161000 process_handle: 0xffffffff	1

Yara rule detected in process memory (13 events)

description	Match Windows Http API call	rule	Str_Win32_Http_API
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

5.42.92.211

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 24, 2023, 11:17 a.m.	process_identifier: 2676 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000003c	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELGáeà$¸ÈAÐ@À@LE(à¨'À::@Ð.text¶¸ `.rdatax{Ð\|¼@@.data¸!P8@À.rsrcàD@@.reloc¨'(F@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þêA@VB@VB@VB@VB@VBHVBíAîAÀäAUB`PBCVBeBeBeBeBeBeBeBeBeBVBeBeBeBeBeBeBeB..þÿÿÿ þÿÿÿueõS®g¸ímZ3mÜg>ãUl3.¡Éê2ÔËöÿÿÿÿìï+z/}â1ÆôCñzÝÖîþî¶ð5Õ\ÅÕN¡·rv¡#5è¼ÐjXA²"]OZVKiX(üN\íº©ÿsæTS<[eb?f} À®¼`¢³²âgÇH,ÃUí¾çJkî]çÆ±{ò · g×->sÐÇä¸5åÉ7åxªôLÆKÔïhP º[¨ m»ÚwÍÄ a ?>° ©'¸v _¶i( ÖhI´gV(¶'{µ²±W5$Öå®¥sÇ¿c°Úf!Äeå¢ºÀaÕpLß¤ Ä_8IbM$¾¾è0qeB Y¾v:rq;d\|ìÊ)Øuaq¤1»/´ÝeWÞf¤tTãÁ§q]c-´ç{À¹ûiQºwç}n_/µÓdZ¢8N'óò¶¿Ðé¾0×¾* ¹R·'3øÓß´ãø¾®hij²:éà³ó^åáPV$w`g¯ ãÏc0jªÖëï¦EÐUQYIG_³W¤÷ú£ÔD¶lwðãëC?HGÜµ !®x>¤ÁZúË»` ë6tA\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x00425000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2676 process_handle: 0x0000003c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELGáeà$¸ÈAÐ@À@LE(à¨'À::@Ð.text¶¸ `.rdatax{Ð\|¼@@.data¸!P8@À.rsrcàD@@.reloc¨'(F@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x0000003c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 called NtSetContextThread to modify thread in remote process 2676
NtSetContextThread Sept. 24, 2023, 11:17 a.m.	registers.eip: 1995571652 registers.esp: 3866208 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000038 process_identifier: 2676	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2676
NtResumeThread Sept. 24, 2023, 11:17 a.m.	thread_handle: 0x00000038 suspend_count: 1 process_identifier: 2676	1	0	0

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 24, 2023, 11:17 a.m.	thread_identifier: 2680 thread_handle: 0x00000038 process_identifier: 2676 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000003c	1	1
NtGetContextThread Sept. 24, 2023, 11:17 a.m.	thread_handle: 0x00000038	1	0
NtAllocateVirtualMemory Sept. 24, 2023, 11:17 a.m.	process_identifier: 2676 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000003c	1	0
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $à ¤ÿmY¤ÿmY¤ÿmYwnX¨ÿmYwhX2ÿmYwiX°ÿmYY¦ÿmYhXÿmYiXµÿmYnX°ÿmYwlX§ÿmY¤ÿlYðÿmY°dX´ÿmY°Y¥ÿmY°oX¥ÿmYRich¤ÿmYPELGáeà$¸ÈAÐ@À@LE(à¨'À::@Ð.text¶¸ `.rdatax{Ð\|¼@@.data¸!P8@À.rsrcàD@@.reloc¨'(F@B base_address: 0x00400000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: base_address: 0x0041d000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ ÿÿÿÿ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þêA@VB@VB@VB@VB@VBHVBíAîAÀäAUB`PBCVBeBeBeBeBeBeBeBeBeBVBeBeBeBeBeBeBeB..þÿÿÿ þÿÿÿueõS®g¸ímZ3mÜg>ãUl3.¡Éê2ÔËöÿÿÿÿìï+z/}â1ÆôCñzÝÖîþî¶ð5Õ\ÅÕN¡·rv¡#5è¼ÐjXA²"]OZVKiX(üN\íº©ÿsæTS<[eb?f} À®¼`¢³²âgÇH,ÃUí¾çJkî]çÆ±{ò · g×->sÐÇä¸5åÉ7åxªôLÆKÔïhP º[¨ m»ÚwÍÄ a ?>° ©'¸v _¶i( ÖhI´gV(¶'{µ²±W5$Öå®¥sÇ¿c°Úf!Äeå¢ºÀaÕpLß¤ Ä_8IbM$¾¾è0qeB Y¾v:rq;d\|ìÊ)Øuaq¤1»/´ÝeWÞf¤tTãÁ§q]c-´ç{À¹ûiQºwç}n_/µÓdZ¢8N'óò¶¿Ðé¾0×¾* ¹R·'3øÓß´ãø¾®hij²:éà³ó^åáPV$w`g¯ ãÏc0jªÖëï¦EÐUQYIG_³W¤÷ú£ÔD¶lwðãëC?HGÜµ !®x>¤ÁZúË»` ë6tA\|B.?AVbad_exception@std@@\|B.?AVexception@std@@\|B.?AVtype_info@@ base_address: 0x00425000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: base_address: 0x00429000 process_identifier: 2676 process_handle: 0x0000003c	1	1
WriteProcessMemory Sept. 24, 2023, 11:17 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2676 process_handle: 0x0000003c	1	1
NtSetContextThread Sept. 24, 2023, 11:17 a.m.	registers.eip: 1995571652 registers.esp: 3866208 registers.edi: 0 registers.eax: 4198977 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000038 process_identifier: 2676	1	0
NtResumeThread Sept. 24, 2023, 11:17 a.m.	thread_handle: 0x00000038 suspend_count: 1 process_identifier: 2676	1	0

exto.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All