Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2024, 7:37 a.m.	July 22, 2024, 7:39 a.m.

Size	3.0MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`387539254d02064c55935e94f0f56649`
SHA256	`0479d70c31696169a09d37e34d511b587b1a678563867e41b4881325e9f96101`
CRC32	`D78EAD08`
ssdeep	`49152:m0l/K0FDru/04QwSrjtujaLI7vrrgzS77VuaqqBO6Gjj7hVrETZmq+Orinkp+cIi:mmdFDrOSSaLIduDqMb3zCgq+O2ngIi`
PDB Path	C:\Users\Admin\Desktop\ç§æ\åµå°¸\è¿æ§\CcRemote-master\bin\server\Loder.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

5.exe "C:\Users\test22\AppData\Local\Temp\5.exe"
2584

Name	Response	Post-Analysis Lookup
botbot.ddosvps.cc	A 209.141.53.247	209.141.53.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
209.141.53.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2024, 7:37 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\Admin\Desktop\ç§æ\åµå°¸\è¿æ§\CcRemote-master\bin\server\Loder.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sedata

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 22, 2024, 7:37 a.m.	stacktrace: 5+0x52e33e @ 0x92e33e 5+0x56853e @ 0x96853e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: eb 09 25 b4 2a 4d bc 0c 21 60 a3 c3 e9 51 ff ff exception.symbol: 5+0x48b8f2 exception.instruction: jmp 0x88b8fd exception.module: 5.exe exception.exception_code: 0x80000003 exception.offset: 4765938 exception.address: 0x88b8f2 registers.esp: 1638008 registers.edi: 0 registers.eax: 0 registers.ebp: 1638052 registers.edx: 582600 registers.ebx: 5 registers.esi: 10992784 registers.ecx: 10992784	1
__exception__ July 22, 2024, 7:37 a.m.	stacktrace: exception.instruction_r: 83 ec 15 eb 45 42 fd cc 5f 8b 5c 24 10 86 5c 24 exception.symbol: 5+0x4b36fc exception.instruction: sub esp, 0x15 exception.module: 5.exe exception.exception_code: 0x80000004 exception.offset: 4929276 exception.address: 0x8b36fc registers.esp: 1637016 registers.edi: 1637020 registers.eax: 447908296 registers.ebp: 9140415 registers.edx: 8912904 registers.ebx: 4030362123 registers.esi: 1637256 registers.ecx: 2224728150	1
__exception__ July 22, 2024, 7:37 a.m.	stacktrace: exception.instruction_r: 83 ec 15 eb 45 42 fd cc 5f 8b 5c 24 10 86 5c 24 exception.symbol: 5+0x4b36fc exception.instruction: sub esp, 0x15 exception.module: 5.exe exception.exception_code: 0x80000004 exception.offset: 4929276 exception.address: 0x8b36fc registers.esp: 44694344 registers.edi: 44694348 registers.eax: 143882497 registers.ebp: 9140415 registers.edx: 8912900 registers.ebx: 4030362123 registers.esi: 44694584 registers.ecx: 2224728150	1

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

botbot.ddosvps.cc

description

Cocos Islands domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 4864 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 region_size: 294912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759aa000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 7:37 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (9 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8990

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c8df8

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x001be400', u'virtual_address': u'0x00001000', u'entropy': 7.999895692846306, u'name': u'.text', u'virtual_size': u'0x0047f000'}

entropy

7.99989569285

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000ed400', u'virtual_address': u'0x00480000', u'entropy': 7.56501121290551, u'name': u'.sedata', u'virtual_size': u'0x000ee000'}

entropy

7.56501121291

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001000', u'virtual_address': u'0x005c9000', u'entropy': 7.981681229433839, u'name': u'.sedata', u'virtual_size': u'0x00001000'}

entropy

7.98168122943

description

A section with a high entropy has been found

entropy

0.883368285207

description

Overall entropy of this PE file is high

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	209.141.53.247:7788
dead_host	192.168.56.101:49163

5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All