Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 9:22 a.m.	Aug. 9, 2024, 9:24 a.m.

Size	2.1MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`def6f274c14351d9cf0f49798b5a833d`
SHA256	`755e26648921c2f5a9a8cb424fef4349958456144470377990788b2f4a58f505`
CRC32	`28A34259`
ssdeep	`49152:xWiP0wV0hJ5VGx6ODJ1+DEtWX33oG1Sdfol:FVUckab9G`
PDB Path	÷LGÈ#G¾½/¬É]ÈSdbX>kvGð¿ëþ{ç´IòÚ)PûØ °îª°r >ÄæÏ#Ôµ[¤ÐH,s7à$eeMhj
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

file234.exe "C:\Users\test22\AppData\Local\Temp\file234.exe"
2568
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2652
  - Gmve9T42uH5af2pxVBRXt6Er.exe "C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe"
    2852

Name	Response	Post-Analysis Lookup
yip.su	A 104.21.79.77 A 172.67.169.89	104.21.79.77
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.110.133
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	172.67.19.24
iplogger.com	A 172.67.188.178 A 104.21.76.57	172.67.188.178
github.com	A 20.200.245.247	20.200.245.247
ironmanrecycling.com	A 147.45.60.44	147.45.60.44
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.20.3.235	Active	Moloch
104.21.76.57	Active	Moloch
104.21.79.77	Active	Moloch
147.45.60.44	Active	Moloch
162.159.133.233	Active	Moloch
164.124.101.2	Active	Moloch
185.199.111.133	Active	Moloch
194.58.114.223	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49166 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 185.199.111.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 162.159.133.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49170 -> 162.159.133.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49164 -> 104.20.3.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 104.21.79.77:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 104.21.76.57:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49172 -> 104.21.76.57:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 147.45.60.44:80 -> 192.168.56.101:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 147.45.60.44:80 -> 192.168.56.101:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.60.44:80 -> 192.168.56.101:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 194.58.114.223:80 -> 192.168.56.101:49165	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49166 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0
TLS 1.2 192.168.56.101:49169 185.199.111.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28
TLS 1.2 192.168.56.101:49170 162.159.133.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39
TLS 1.2 192.168.56.101:49164 104.20.3.235:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f
TLS 1.2 192.168.56.101:49167 104.21.79.77:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	cd:f2:dd:c5:ee:57:d1:5f:01:8c:10:00:ac:b5:85:96:0e:f7:0a:32
TLS 1.2 192.168.56.101:49172 104.21.76.57:443	C=US, O=Google Trust Services, CN=WE1	CN=iplogger.com	ff:db:b3:bf:95:97:b5:c1:dd:90:3f:4c:9a:d3:69:3b:39:78:66:96

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 9:22 a.m.			0	0
IsDebuggerPresent Aug. 9, 2024, 9:22 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

÷LGÈ#G¾½/¬É]ÈSdbX>kvGð¿ëþ{ç´IòÚ)PûØ °îª°r >ÄæÏ#Ôµ[¤ÐH,s7à$eeMhj

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 9:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.58.114.223/d/385121
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ironmanrecycling.com/get/setup1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/xYhKBupz
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/evan9908/Setup/raw/main/Filemy.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141520195715093/setup.exe?ex=66b6424b&is=66b4f0cb&hm=de560db8ff6dd3fa9ac31172f1bd3d348b35190c8d570ea98c882ca3b5c00fdd&
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.com/1uNwK4

Performs some HTTP requests (7 events)

request	GET http://194.58.114.223/d/385121
request	GET http://ironmanrecycling.com/get/setup1.exe
request	GET https://pastebin.com/raw/xYhKBupz
request	GET https://github.com/evan9908/Setup/raw/main/Filemy.exe
request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141520195715093/setup.exe?ex=66b6424b&is=66b4f0cb&hm=de560db8ff6dd3fa9ac31172f1bd3d348b35190c8d570ea98c882ca3b5c00fdd&
request	GET https://yip.su/RNWPd.exe
request	GET https://iplogger.com/1uNwK4

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

yip.su

description

Soviet Union domain TLD

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0027d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2852 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPn8Rj3ST7TdE9SdoZ97brm9.bat
file	C:\Users\test22\AppData\Local\ynJjrs4lmoB9BYSHCM7P963B.exe
file	C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nQNC6ySAsopWCVZx3Yt6kwsU.bat
file	C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe
file	C:\Users\test22\AppData\Local\xMKTkOlDSnrEwAao3HHx8qqW.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\ynJjrs4lmoB9BYSHCM7P963B.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2024, 9:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe parameters: filepath: C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe		0	0
ShellExecuteExW Aug. 9, 2024, 9:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe parameters: filepath: C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 9:22 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process caspol.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 9, 2024, 9:22 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 00:22:32 GMT Server: nginx/1.26.1 Content-Type: application/x-dosexec Content-Length: 218624 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $§xãíÜãíÜãíÜ^¢ÜáíÜý¿ÜÁíÜý¿ÜúíÜý¿ÜcíÜÄ+mÜæíÜãíÜíÜý¿ÜâíÜý¿ÜâíÜý¿ÜâíÜRichãíÜPELâ]dà ÎÛ°@ò lË<8q°¨.textû `.rdataÆ$°&@@.dataè)à&¾@À.rsrc8qrä@@ÿ%0°B; àBuóÃéÐÿUìì S3Û9]uèSSSSSÇèÄÈÿëME;ÃtÜVEèEàEPSÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèaYYÆ^[ÉÃÿUìì S3Û9]uèSSSSSÇèÄÈÿëNE;ÃtÜVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèãYYÆ^[ÉÃÿUìÿujÿuÿuèmÿÿÿÄ]ÃÿUìQeüVEüPÿuÿuè¸ðÄöu9Eütè\Àt èSMüÆ^ÉÃjhÇBèZ3À3ö9uÀ;ÆuèÇVVVVVè²ÄÈÿë8ètPVèYYuüÿuÿuÿuèZPÿUÄEäÇEüþÿÿÿèEäè7Ã3öè4PVè³YYÃÿUìEPjÿuh-@èbÿÿÿÄ]ÃÿUìj jÿuèT-Ä]ÃÿUì]éßÿÿÿjh0ÇBè3ÿ}ä3Àu;÷À;Çu èaÇWWWWWèéÄÈÿé´Vè~Y}üöF@uwVè0YøÿtøþtÐÁúÈáÁáÀèCë¹äBöA$u)øÿtøþtÈÁùàÁàÀèCë¸äBö@$tèÖÇWWWWWè^ÄMäÿ9}äuÿNx ¶AëVè,YEäÇEüþÿÿÿèEäèïÃuVè4YÃÿUìQSVWÿ5¤èCè0ÿ5 èCø}üès0ðYY;÷Þ+ßCørwWè¨6øCY;øsH¸;øsÇÇ;ÇrPÿuüèä5YYÀuG;Çr@PÿuüèÎ5YYÀt1ÁûP4è/Y£¤èCÿuè/ÆVèu/Y£ èCEYë3À_^[ÉÃÿVjj è85ðVèN/Ä£¤èC£ èCöujX^Ã&3À^ÃjhPÇBè§è-7eüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃÃè7ÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃjhpÇBèT3À3ö9uÀ;Æuè$ÇVVVVVè¬ÄÈÿë_ènj [ÃPjèyYYuüèWÃPè,9YøEPVÿuè?ÃPèEäè/ÃPWè9ÄÇEüþÿÿÿè Eäè Ãè À PjèYYÃ¡àBÈ3É9`þBÁÁÃÿUì=lþBuèz;ÿuèÇ9hÿèé5YY]ÃjXhÇBèf3öuüEPÿ°Bjþ_}ü¸MZf9@u8¡<@¸@PEu'¹f9@u¸t@v3É9°è@ÁMäëuä3ÛCSèW@YÀujèXÿÿÿYè{1ÀujèGÿÿÿYèè?]üèÌÀ}jèè4YèÉ?£äùCèh?£hþBè°>À}jèÃ4Yèp<À}j è²4YSèj5Y;ÆtPè 4Yè<]Ät·MÈëj YQPVh@è¿:Eà9uäuPèá6è7}üë5Eì MÜPQèc:YYÃeèEÜEà received: 2920 socket: 1612	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000c0600', u'virtual_address': u'0x00194000', u'entropy': 6.829884620312259, u'name': u'.rdata', u'virtual_size': u'0x000c050c'}

entropy

6.82988462031

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003200', u'virtual_address': u'0x00278000', u'entropy': 7.806001552091775, u'name': u'.rsrc', u'virtual_size': u'0x000030f4'}

entropy

7.80600155209

description

A section with a high entropy has been found

entropy

0.371849738469

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

194.58.114.223

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000110	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 9, 2024, 9:22 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPn8Rj3ST7TdE9SdoZ97brm9.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nQNC6ySAsopWCVZx3Yt6kwsU.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2568 resumed a thread in remote process 2652
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000000000000010c suspend_count: 1 process_identifier: 2652	1	0	0

Executed a process and injected code into it, probably while unpacking (18 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 2568	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000000000000f4 suspend_count: 1 process_identifier: 2568	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 2656 thread_handle: 0x000000000000010c process_identifier: 2652 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000110	1	1
NtUnmapViewOfSection Aug. 9, 2024, 9:22 a.m.	base_address: 0x0000000000400000 region_size: 8126464 process_identifier: 2652 process_handle: 0x0000000000000110		-1073741799
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2652 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000110	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000000000000010c suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000001cc suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000005dc suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000005f0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000620 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000608 suspend_count: 1 process_identifier: 2652	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe track: 0 command_line: "C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe" filepath_r: C:\Users\test22\Pictures\7Rhe9M4GgyAVkmvttYuyr6j3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000670 suspend_count: 1 process_identifier: 2652	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 2856 thread_handle: 0x000007a0 process_identifier: 2852 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe track: 1 command_line: "C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe" filepath_r: C:\Users\test22\Pictures\Gmve9T42uH5af2pxVBRXt6Er.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007cc	1	1

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Injuke.16!c
CAT-QuickHeal	Trojan.Injuke
Skyhigh	Artemis!Trojan
ALYac	Trojan.Generic.36664090
Cylance	Unsafe
Zillya	Backdoor.Remcos.Win32.7520
Sangfor	Trojan.Win64.Injuke.Vlar
BitDefender	Trojan.Generic.36664090
VirIT	Trojan.Win32.PSWStealer.DAU
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/GenKryptik.GZZF
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.Injuke.oevc
Alibaba	Trojan:Win64/Injuke.4d8cd6c9
MicroWorld-eScan	Trojan.Generic.36664090
Rising	Trojan.Injector!1.FCBE (CLASSIC)
Emsisoft	Trojan.Generic.36664090 (B)
F-Secure	Trojan.TR/Crypt.Agent.ssycy
DrWeb	Trojan.Inject5.6978
TrendMicro	Trojan.Win64.OPERALOADER.YXEHCZ
McAfeeD	ti!755E26648921
FireEye	Trojan.Generic.36664090
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Crypt.Agent.ssycy
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win64.Kryptik.sa
Microsoft	Trojan:Win64/Stealerc.GPB!MTB
ViRobot	Trojan.Win.Z.Genkryptik.2162272
ZoneAlarm	Trojan.Win32.Injuke.oevc
GData	Trojan.Generic.36664090
AhnLab-V3	Trojan/Win.MalwareX-gen.R659729
McAfee	Artemis!DEF6F274C143
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4223023271
Ikarus	Trojan.Win64.Crypt
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win64.OPERALOADER.YXEHCZ
Tencent	Malware.Win32.Gencirc.10c0255e
huorong	HEUR:Trojan/Injector.as
Fortinet	W64/GenKryptik.MAGC!tr
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/GenKryptik.GOP9

file234.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All