popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Documento.txt.exe

UPX PE32 PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Nov. 30, 2023, 2:38 p.m. Nov. 30, 2023, 2:40 p.m.
Size 14.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 1af7a2e45f20ad74e091fc976be0492e
SHA256 a851d4ab461d793a24ef9e1e58d6ae5bf6b27bd0ff0b5a0f470b301b1c00a949
CRC32 47D44FAD
ssdeep 192:7+8C+EKS0O9ejYTDG8bcp4Ll7GnieXubWyD9JEBkGxVXzqoNNRJc:7NVjYTDG8gp6leXTyD3Enx0oNK
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
marcelotatuape.ddns.net
A 177.52.82.174
177.52.82.174
IP Address Status Action
164.124.101.2 Active Moloch
177.52.82.174 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2028675 ET POLICY DNS Query to DynDNS Domain *.ddns .net Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
mscorlib+0x216e76 @ 0x71fa6e76
mscorlib+0x2202ff @ 0x71fb02ff
mscorlib+0x216df4 @ 0x71fa6df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x72891b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x728a8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x728b6a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x728b6a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x728b6a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x72933191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x728e192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x728e18cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x728e17f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x728e197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x72932f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x7293303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x729f805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 39 09 e8 d1 5e f3 70 eb 05 e8 56 19 0d 72 b9 1c
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7c02d0
registers.esp: 73397880
registers.edi: 0
registers.eax: 0
registers.ebp: 73397912
registers.edx: 0
registers.ebx: 38682612
registers.esi: 38678464
registers.ecx: 0
1 0 0
domain marcelotatuape.ddns.net
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006d0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00522000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00532000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00533000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00577000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00534000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00536000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00562000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0052b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04840000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
dead_host 177.52.82.174:333
Lionic Trojan.Win32.RevengeRat.4!c
Elastic Windows.Trojan.Revengerat
MicroWorld-eScan IL:Trojan.MSILZilla.19283
CAT-QuickHeal Trojan.RratFC.S20328350
Skyhigh GenericRXJF-GR!1AF7A2E45F20
ALYac IL:Trojan.MSILZilla.19283
Malwarebytes Generic.Malware.AI.DDS
Sangfor Suspicious.Win32.Save.a
Alibaba Backdoor:Win32/RevengeRat.d1e1d215
Cybereason malicious.b29212
Arcabit IL:Trojan.MSILZilla.D4B53
VirIT Trojan.Win32.MSIL.DOY
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Agent.ATK
APEX Malicious
ClamAV Win.Packed.Razy-9645384-0
Kaspersky HEUR:Trojan.Win32.RRAT.gen
BitDefender IL:Trojan.MSILZilla.19283
Avast Win32:BackdoorX-gen [Trj]
Tencent Win32.Trojan.Rrat.Kflw
Emsisoft IL:Trojan.MSILZilla.19283 (B)
F-Secure Trojan.TR/ATRAPS.Gen
DrWeb BackDoor.RevetRat.2
VIPRE IL:Trojan.MSILZilla.19283
TrendMicro TROJ_GEN.R014C0DKT23
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.1af7a2e45f20ad74
Sophos Troj/RAT-GS
Ikarus Win32.Outbreak
Webroot W32.Malware.Gen
Google Detected
Avira TR/ATRAPS.Gen
Varist W32/MSIL_Kryptik.AXU.gen!Eldorado
Antiy-AVL Trojan/Win32.RRAT
Kingsoft Win32.Trojan.RRAT.gen
Gridinsoft Trojan.Win32.Gen.tr
Microsoft Backdoor:MSIL/RevengeRat
ZoneAlarm HEUR:Trojan.Win32.RRAT.gen
GData Win32.Trojan.Agent.4KI6L2
Cynet Malicious (score: 99)
AhnLab-V3 Trojan/Win32.RL_Generic.C3517676
McAfee GenericRXJF-GR!1AF7A2E45F20
MAX malware (ai score=84)
VBA32 Backdoor.MSIL.Revenge.Heur
Cylance unsafe
Panda Trj/CI.A
Zoner Trojan.Win32.86676
TrendMicro-HouseCall TROJ_GEN.R014C0DKT23
Rising Backdoor.LimeRat!1.D55A (CLASSIC)
SentinelOne Static AI - Malicious PE