Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 31, 2024, 3:40 p.m.	Jan. 31, 2024, 3:57 p.m.

Size	81.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ac15ae1e49f4272e8d38b5fd5573ce35`
SHA256	`c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149`
CRC32	`7D824B12`
ssdeep	`1536:D7Vs/tSdQLcSjAA0C0rEr2ofgNTX0g/+PmN/10BmglZqiqazVkP5tJCFPzRUR2lX:D5MmQLcxAarEDINTD/+Pmn0BmgnpzmcP`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

%40dramo%40.exe "C:\Users\test22\AppData\Local\Temp\%40dramo%40.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.75.166	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 31, 2024, 3:40 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 31, 2024, 3:40 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 31, 2024, 3:40 p.m.			0	0
IsDebuggerPresent Jan. 31, 2024, 3:40 p.m.			0	0
IsDebuggerPresent Jan. 31, 2024, 3:40 p.m.			0	0
IsDebuggerPresent Jan. 31, 2024, 3:40 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 31, 2024, 3:40 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 31, 2024, 3:40 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

172.67.75.166

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.mh
ALYac	IL:Trojan.MSILZilla.84428
Cylance	unsafe
VIPRE	IL:Trojan.MSILZilla.84428
Sangfor	Downloader.Msil.Amadey.Vjb6
BitDefender	IL:Trojan.MSILZilla.84428
Cybereason	malicious.499269
Arcabit	IL:Trojan.MSILZilla.D149CC
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.QET
APEX	Malicious
McAfee	Artemis!AC15AE1E49F4
Avast	Win32:CrypterX-gen [Trj]
ClamAV	Win.Packed.Seraph-10016137-0
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Alibaba	TrojanDownloader:MSIL/Amadey.88b7016e
MicroWorld-eScan	IL:Trojan.MSILZilla.84428
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:PaU2CR43U+f4zIE7D3GF1w)
Emsisoft	IL:Trojan.MSILZilla.84428 (B)
DrWeb	Trojan.DownLoaderNET.921
FireEye	Generic.mg.ac15ae1e49f4272e
Ikarus	Trojan.MSIL.Crypt
Webroot	W32.Trojan.MSILZilla
Google	Detected
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Downloader]/MSIL.Seraph
Kingsoft	malware.kb.c.1000
Microsoft	Trojan:MSIL/Amadey.RDQ!MTB
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
GData	IL:Trojan.MSILZilla.84428
Varist	W32/MSIL_Downldr.T.gen!Eldorado
BitDefenderTheta	Gen:NN.ZemsilF.36680.fm0@aOQTUwc
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL.Generic
Tencent	Msil.Trojan-Downloader.Ader.Czlw
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.AKQX!tr
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)

%40dramo%40.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All