Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 28, 2023, 9:16 a.m.	Nov. 28, 2023, 9:29 a.m.

Size	722.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bec11ca3a3a72fbb4b93e078f03b2e78`
SHA256	`d5268264e03035ae08616679859a12d0652285022884342333b068c226a209a5`
CRC32	`403F1775`
ssdeep	`12288:QtTzd7BR6wTEvcjRnhgxw7jNqIHqPMj4cV0lFbeBD0jKjE0jQ8C:QtTzpBAvSjgqfsIHq89VyF2JxjQ`
PDB Path	QmshHmzSJ.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

wealthzx.exe "C:\Users\test22\AppData\Local\Temp\wealthzx.exe"
1572
- wealthzx.exe "C:\Users\test22\AppData\Local\Temp\wealthzx.exe"
  2500

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 28, 2023, 9:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:17 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 28, 2023, 9:17 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 28, 2023, 9:16 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:16 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:17 a.m.			0	0
IsDebuggerPresent Nov. 28, 2023, 9:17 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

QmshHmzSJ.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 28, 2023, 9:16 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 28, 2023, 9:17 a.m.	stacktrace: 0x5b0684 0x5b0566 0x5b045d 0x5b00fc DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5b392f registers.esp: 2485672 registers.edi: 2485696 registers.eax: 0 registers.ebp: 2485708 registers.edx: 195 registers.ebx: 2485956 registers.esi: 39028280 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 28, 2023, 9:17 a.m.

stacktrace:

0x5b0684
0x5b0566
0x5b045d
0x5b00fc
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7460f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74897f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74894de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5b392f
registers.esp: 2485672
registers.edi: 2485696
registers.eax: 0
registers.ebp: 2485708
registers.edx: 195
registers.ebx: 2485956
registers.esi: 39028280
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 75 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:16 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02331000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02332000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 1572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02333000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000b3c00', u'virtual_address': u'0x00002000', u'entropy': 7.968678035906482, u'name': u'.text', u'virtual_size': u'0x000b3a58'}

entropy

7.96867803591

description

A section with a high entropy has been found

entropy

0.996534996535

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 28, 2023, 9:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (13 events)

description	Win Trojan AgentTesla	rule	Win_Trojan_AgentTesla_M_B_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>ÍIeà¾½ À@ @d½WÀFà H.textÄ `.rsrcFÀ @@.relocà¦@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName8db45ef4-f9ad-4e90-8a28-be098d65727b.exe(LegalCopyright \|)OriginalFilename8db45ef4-f9ad-4e90-8a28-be098d65727b.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043c000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: °À= base_address: 0x0043e000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x0000024c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>ÍIeà¾½ À@ @d½WÀFà H.textÄ `.rsrcFÀ @@.relocà¦@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000024c	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1572 called NtSetContextThread to modify thread in remote process 2500
NtSetContextThread Nov. 28, 2023, 9:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4439486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2500	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1572 resumed a thread in remote process 2500
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2500	1	0	0

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1572	1	0
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1572	1	0
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1572	1	0
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 1572	1	0
NtGetContextThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1572	1	0
NtGetContextThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Nov. 28, 2023, 9:16 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1572	1	0
CreateProcessInternalW Nov. 28, 2023, 9:17 a.m.	thread_identifier: 2504 thread_handle: 0x00000248 process_identifier: 2500 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wealthzx.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wealthzx.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000024c	1	1
NtGetContextThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000248	1	0
NtAllocateVirtualMemory Nov. 28, 2023, 9:17 a.m.	process_identifier: 2500 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000024c	1	0
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL>ÍIeà¾½ À@ @d½WÀFà H.textÄ `.rsrcFÀ @@.relocà¦@B base_address: 0x00400000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: base_address: 0x00402000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalName8db45ef4-f9ad-4e90-8a28-be098d65727b.exe(LegalCopyright \|)OriginalFilename8db45ef4-f9ad-4e90-8a28-be098d65727b.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0043c000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: °À= base_address: 0x0043e000 process_identifier: 2500 process_handle: 0x0000024c	1	1
WriteProcessMemory Nov. 28, 2023, 9:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x0000024c	1	1
NtSetContextThread Nov. 28, 2023, 9:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4439486 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000248 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000284 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2500	1	0
NtResumeThread Nov. 28, 2023, 9:17 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2500	1	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.bc
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/Kryptik.AKGA
APEX	Malicious
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
Avast	Win32:PWSX-gen [Trj]
DrWeb	Trojan.Inject4.59820
TrendMicro	TrojanSpy.Win32.NEGASTEAL.YXDK2Z
Sophos	Troj/Krypt-ABH
Google	Detected
Varist	W32/MSIL_Agent.FPI.gen!Eldorado
Kingsoft	MSIL.Backdoor.Remcos.gen
Microsoft	Trojan:MSIL/AgentTesla.KABH!MTB
Gridinsoft	Trojan.Win32.Kryptik.sa
ZoneAlarm	HEUR:Backdoor.MSIL.Remcos.gen
GData	Win32.Trojan.Agent.D8SDKF
Cynet	Malicious (score: 100)
McAfee	Artemis!BEC11CA3A3A7
Cylance	unsafe
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:v9AbU/5F5+q6+8IWQa4ISQ)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ATU!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS

wealthzx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All