Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 3, 2023, 12:51 p.m.	Oct. 3, 2023, 12:53 p.m.

Size	817.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`a7e5dd9ea31f866fdd0b425165f90915`
SHA256	`d2608d6f7e2001cf70808e3c89bf702484c13f85ae19037a1de33fe957a3233a`
CRC32	`00F21168`
ssdeep	`24576:DpRaJkjIFluoFg9BA0/ho7svms7IcRvJ3:lnIFluoFgZho7XsDRvJ3`
PDB Path	C:\q6u9Bc832IoMnjmw5WLutZPbPGzTTL06\Hos_ter.pdb
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check

Ifum2.exe "C:\Users\test22\AppData\Local\Temp\Ifum2.exe"
1508
- AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2108

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 3, 2023, 12:51 p.m.			0	0
IsDebuggerPresent Oct. 3, 2023, 12:51 p.m.			0	0

Command line console output was observed (23 events)

Time & API	Arguments	Status	Return
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: Who say this? console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: f console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: u console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: f console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: u console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: A console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: S console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: s console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: u console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: w console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: e console_handle: 0x0000000b	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: B console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: b console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Oct. 3, 2023, 12:51 p.m.	buffer: r console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

C:\q6u9Bc832IoMnjmw5WLutZPbPGzTTL06\Hos_ter.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 3, 2023, 12:51 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.PLT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74392000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d3b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x746ca000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Yara rule detected in process memory (9 events)

description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELO<lðà0N7 @@ @ø6S@Nà H.textT `.rsrcN@@@.relocà¶@B base_address: 0x00400000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: 0P7 base_address: 0x0042e000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2108 process_handle: 0x0000002c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELO<lðà0N7 @@ @ø6S@Nà H.textT `.rsrcN@@@.relocà¶@B base_address: 0x00400000 process_identifier: 2108 process_handle: 0x0000002c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1508 called NtSetContextThread to modify thread in remote process 2108
NtSetContextThread Oct. 3, 2023, 12:51 p.m.	registers.eip: 2005598660 registers.esp: 2948184 registers.edi: 0 registers.eax: 4339534 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2108	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1508 resumed a thread in remote process 2108
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2108	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 3, 2023, 12:51 p.m.	thread_identifier: 2112 thread_handle: 0x00000020 process_identifier: 2108 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Oct. 3, 2023, 12:51 p.m.	process_identifier: 2108 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELO<lðà0N7 @@ @ø6S@Nà H.textT `.rsrcN@@@.relocà¶@B base_address: 0x00400000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: base_address: 0x00402000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: base_address: 0x00424000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: 0P7 base_address: 0x0042e000 process_identifier: 2108 process_handle: 0x0000002c	1	1
WriteProcessMemory Oct. 3, 2023, 12:51 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2108 process_handle: 0x0000002c	1	1
NtSetContextThread Oct. 3, 2023, 12:51 p.m.	registers.eip: 2005598660 registers.esp: 2948184 registers.edi: 0 registers.eax: 4339534 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2108	1	0
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000144 suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x000001bc suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Oct. 3, 2023, 12:51 p.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2108	1	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
MicroWorld-eScan	Gen:Variant.Lazy.379552
FireEye	Gen:Variant.Lazy.379552
McAfee	Artemis!A7E5DD9EA31F
Malwarebytes	Malware.AI.2231202031
Sangfor	Infostealer.Win32.Redline.Vahd
K7AntiVirus	Trojan ( 005ab4bc1 )
Alibaba	TrojanSpy:Win32/RedLine.158b912b
K7GW	Trojan ( 005ab4bc1 )
Arcabit	Trojan.Lazy.D5CAA0
VirIT	Trojan.Win32.GenusT.DPYT
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HUKQ
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender	Gen:Variant.Lazy.379552
Avast	Win32:PWSX-gen [Trj]
Tencent	Malware.Win32.Gencirc.13ed8047
Sophos	Mal/Generic-S
DrWeb	Trojan.Inject4.60348
VIPRE	Gen:Variant.Lazy.379552
TrendMicro	TrojanSpy.Win32.REDLINE.YXDJCZ
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
Emsisoft	Gen:Variant.Lazy.379552 (B)
Jiangmin	Trojan.PSW.Stealerc.de
Gridinsoft	Trojan.Heur!.00002031
Microsoft	Trojan:MSIL/RedLine.MD!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Gen:Variant.Lazy.379552
AhnLab-V3	Trojan/Win.RedLine.R600050
VBA32	BScope.TrojanPSW.RedLine
MAX	malware (ai score=88)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDJCZ
Rising	Trojan.SmokeLoader!1.EB50 (CLASSIC)
Yandex	Trojan.Kryptik!wRMFLXYHnOE
Fortinet	W32/Injector.ETFD!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Ifum2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All