Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2024, 9:22 a.m.	Aug. 9, 2024, 9:29 a.m.

Size	2.1MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`098621a8fa13fdfd4ce2d9c3dc010092`
SHA256	`aae3fa7e1a2c161fce6b1b9b3dcf48cc3f797cc2754bd12b2810ccca21ccfdd9`
CRC32	`2F3339D7`
ssdeep	`49152:kWiP0wV0hJ5VGx6ODJ1+aEtWX33oG1SdZo2:2VUcFabLh`
PDB Path	mth#ý%IxêÅäKß+}iß%gmY/ë?ßÑÙY<bïÛÎ,O/ß/e~!é$XÞbÌN o\yHíÛGÒêÚ.V§>;5V¥p"ã1^7
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

setup2.exe "C:\Users\test22\AppData\Local\Temp\setup2.exe"
1540
- jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2064
  - apZABzmk5ui9Aj6Ct4yFIjaU.exe "C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe"
    2260

Name	Response	Post-Analysis Lookup
yip.su	A 104.21.79.77 A 172.67.169.89	104.21.79.77
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	172.67.19.24
iplogger.com	A 172.67.188.178 A 104.21.76.57	104.21.76.57
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.111.133
github.com	A 20.200.245.247	20.200.245.247
ironmanrecycling.com	A 147.45.60.44	147.45.60.44
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.129.233

IP Address	Status	Action
152.195.38.76	Active	Moloch
104.20.3.235	Active	Moloch
147.45.60.44	Active	Moloch
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.169.89	Active	Moloch
172.67.188.178	Active	Moloch
185.199.110.133	Active	Moloch
194.58.114.223	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 104.20.3.235:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 20.200.245.247:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.58.114.223:80 -> 192.168.56.103:49167	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 147.45.60.44:80 -> 192.168.56.103:49170	2014819	ET INFO Packed Executable Download	Misc activity
UDP 192.168.56.103:64530 -> 164.124.101.2:53	2047719	ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49165 -> 172.67.169.89:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 172.67.188.178:443	2047718	ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49173 -> 172.67.188.178:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 147.45.60.44:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.60.44:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 162.159.134.233:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 185.199.110.133:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 104.20.3.235:443	C=US, O=Google Trust Services, CN=WE1	CN=pastebin.com	82:49:c5:04:9a:bd:a9:c1:ab:4d:ff:95:b9:94:74:cc:40:bc:09:7f
TLS 1.2 192.168.56.103:49166 20.200.245.247:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo ECC Domain Validation Secure Server CA	CN=github.com	e7:03:5b:cc:1c:18:77:1f:79:2f:90:86:6b:6c:1d:f8:df:aa:bd:c0
TLS 1.2 192.168.56.103:49165 172.67.169.89:443	C=US, O=Google Trust Services, CN=WE1	CN=yip.su	cd:f2:dd:c5:ee:57:d1:5f:01:8c:10:00:ac:b5:85:96:0e:f7:0a:32
TLS 1.2 192.168.56.103:49173 172.67.188.178:443	C=US, O=Google Trust Services, CN=WE1	CN=iplogger.com	ff:db:b3:bf:95:97:b5:c1:dd:90:3f:4c:9a:d3:69:3b:39:78:66:96
TLS 1.2 192.168.56.103:49171 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=discordapp.com	97:8b:ee:ad:1e:bf:a1:69:e7:94:29:f7:55:7a:29:64:19:c7:81:39
TLS 1.2 192.168.56.103:49168 185.199.110.133:443	C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	97:d8:c5:70:0f:12:24:6c:88:bc:fa:06:7e:8c:a7:4d:a8:62:67:28

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 9:22 a.m.			0	0
IsDebuggerPresent Aug. 9, 2024, 9:22 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

mth#ý%IxêÅäKß+}iß%gmY/ë?ßÑÙY<bïÛÎ,O/ß/e~!é$XÞbÌN o\yHíÛGÒêÚ.V§>;5V¥p"ã1^7

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 9:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://194.58.114.223/d/385104
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ironmanrecycling.com/get/setup1.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://github.com/evan9908/Setup/raw/main/Umar.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e&
suspicious_features	GET method with no useragent header	suspicious_request	GET https://iplogger.com/1lyxz

Performs some HTTP requests (8 events)

request	GET http://194.58.114.223/d/385104
request	GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
request	GET http://ironmanrecycling.com/get/setup1.exe
request	GET https://pastebin.com/raw/E0rY26ni
request	GET https://github.com/evan9908/Setup/raw/main/Umar.exe
request	GET https://yip.su/RNWPd.exe
request	GET https://cdn.discordapp.com/attachments/1271038807315185718/1271141416722235504/setup.exe?ex=66b64232&is=66b4f0b2&hm=54ce8f39d23ca603ff6f30c94a6a47d0c4b423d21c32cc49cdd2dfd3da22283e&
request	GET https://iplogger.com/1lyxz

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dd000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 9:23 a.m.	process_identifier: 2260 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q9nbVFRW39pITNKON8zV4kXC.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DLFALvDucl6O9U7T0jcdlvDF.bat
file	C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe
file	C:\Users\test22\AppData\Local\lA1TJbLdO332jtliAiMQYbIm.exe
file	C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe
file	C:\Users\test22\AppData\Local\k3az9oBRIARsFxstiwVuDA7p.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 9, 2024, 9:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe parameters: filepath: C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe		0	0
ShellExecuteExW Aug. 9, 2024, 9:22 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe parameters: filepath: C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 9:22 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process jsc.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 9, 2024, 9:22 a.m.	buffer: HTTP/1.1 200 OK Date: Fri, 09 Aug 2024 00:27:25 GMT Server: nginx/1.26.1 Content-Type: application/x-dosexec Content-Length: 218624 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $§xãíÜãíÜãíÜ^¢ÜáíÜý¿ÜÁíÜý¿ÜúíÜý¿ÜcíÜÄ+mÜæíÜãíÜíÜý¿ÜâíÜý¿ÜâíÜý¿ÜâíÜRichãíÜPELâ]dà ÎÛ°@ò lË<8q°¨.textû `.rdataÆ$°&@@.dataè)à&¾@À.rsrc8qrä@@ÿ%0°B; àBuóÃéÐÿUìì S3Û9]uèSSSSSÇèÄÈÿëME;ÃtÜVEèEàEPSÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèaYYÆ^[ÉÃÿUìì S3Û9]uèSSSSSÇèÄÈÿëNE;ÃtÜVÿuEèÿuEàÿuEàPÇEäÿÿÿÇEìBè ÄÿMäðxEàëEàPSèãYYÆ^[ÉÃÿUìÿujÿuÿuèmÿÿÿÄ]ÃÿUìQeüVEüPÿuÿuè¸ðÄöu9Eütè\Àt èSMüÆ^ÉÃjhÇBèZ3À3ö9uÀ;ÆuèÇVVVVVè²ÄÈÿë8ètPVèYYuüÿuÿuÿuèZPÿUÄEäÇEüþÿÿÿèEäè7Ã3öè4PVè³YYÃÿUìEPjÿuh-@èbÿÿÿÄ]ÃÿUìj jÿuèT-Ä]ÃÿUì]éßÿÿÿjh0ÇBè3ÿ}ä3Àu;÷À;Çu èaÇWWWWWèéÄÈÿé´Vè~Y}üöF@uwVè0YøÿtøþtÐÁúÈáÁáÀèCë¹äBöA$u)øÿtøþtÈÁùàÁàÀèCë¸äBö@$tèÖÇWWWWWè^ÄMäÿ9}äuÿNx ¶AëVè,YEäÇEüþÿÿÿèEäèïÃuVè4YÃÿUìQSVWÿ5¤èCè0ÿ5 èCø}üès0ðYY;÷Þ+ßCørwWè¨6øCY;øsH¸;øsÇÇ;ÇrPÿuüèä5YYÀuG;Çr@PÿuüèÎ5YYÀt1ÁûP4è/Y£¤èCÿuè/ÆVèu/Y£ èCEYë3À_^[ÉÃÿVjj è85ðVèN/Ä£¤èC£ èCöujX^Ã&3À^ÃjhPÇBè§è-7eüÿuèøþÿÿYEäÇEüþÿÿÿè EäèÃÃè7ÃÿUìÿuè·ÿÿÿ÷ØÀ÷ØYH]ÃjhpÇBèT3À3ö9uÀ;Æuè$ÇVVVVVè¬ÄÈÿë_ènj [ÃPjèyYYuüèWÃPè,9YøEPVÿuè?ÃPèEäè/ÃPWè9ÄÇEüþÿÿÿè Eäè Ãè À PjèYYÃ¡àBÈ3É9`þBÁÁÃÿUì=lþBuèz;ÿuèÇ9hÿèé5YY]ÃjXhÇBèf3öuüEPÿ°Bjþ_}ü¸MZf9@u8¡<@¸@PEu'¹f9@u¸t@v3É9°è@ÁMäëuä3ÛCSèW@YÀujèXÿÿÿYè{1ÀujèGÿÿÿYèè?]üèÌÀ}jèè4YèÉ?£äùCèh?£hþBè°>À}jèÃ4Yèp<À}j è²4YSèj5Y;ÆtPè 4Yè<]Ät·MÈëj YQPVh@è¿:Eà9uäuPèá6è7}üë5Eì MÜPQèc:YYÃeèEÜEà received: 2920 socket: 1560	1	2920	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000c0600', u'virtual_address': u'0x00194000', u'entropy': 6.829873813393339, u'name': u'.rdata', u'virtual_size': u'0x000c050c'}

entropy

6.82987381339

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003200', u'virtual_address': u'0x00278000', u'entropy': 7.782008114792829, u'name': u'.rsrc', u'virtual_size': u'0x00003190'}

entropy

7.78200811479

description

A section with a high entropy has been found

entropy

0.371849738469

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Communicates with host for which no DNS query was performed (1 event)

host

194.58.114.223

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000010c	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 9, 2024, 9:22 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DLFALvDucl6O9U7T0jcdlvDF.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q9nbVFRW39pITNKON8zV4kXC.bat

Drops a binary and executes it (1 event)

file	C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1540 resumed a thread in remote process 2064
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 2064	1	0	0

Executed a process and injected code into it, probably while unpacking (19 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000000000000b8 suspend_count: 1 process_identifier: 1540	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000000000000f0 suspend_count: 1 process_identifier: 1540	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 2068 thread_handle: 0x0000000000000108 process_identifier: 2064 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000010c	1	1
NtUnmapViewOfSection Aug. 9, 2024, 9:22 a.m.	base_address: 0x0000000000400000 region_size: 12386304 process_identifier: 2064 process_handle: 0x000000000000010c		-1073741799
NtAllocateVirtualMemory Aug. 9, 2024, 9:22 a.m.	process_identifier: 2064 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000010c	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000005cc suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x000005fc suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x0000060c suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000648 suspend_count: 1 process_identifier: 2064	1	0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x0000065c suspend_count: 1 process_identifier: 2064	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe track: 0 command_line: "C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe" filepath_r: C:\Users\test22\Pictures\tdpPBtCJ2PQ7VLSczJZ8xXjp.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000		0
NtResumeThread Aug. 9, 2024, 9:22 a.m.	thread_handle: 0x00000634 suspend_count: 1 process_identifier: 2064	1	0
CreateProcessInternalW Aug. 9, 2024, 9:22 a.m.	thread_identifier: 2264 thread_handle: 0x00000764 process_identifier: 2260 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe track: 1 command_line: "C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe" filepath_r: C:\Users\test22\Pictures\apZABzmk5ui9Aj6Ct4yFIjaU.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007cc	1	1

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.PBLoader.a!c
Elastic	malicious (high confidence)
CAT-QuickHeal	TrojanDownloader.MSIL
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.73757234
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73757234
Sangfor	Downloader.Win64.Kryptik.V4ko
K7AntiVirus	Trojan ( 005b868b1 )
BitDefender	Trojan.GenericKD.73757234
K7GW	Trojan ( 005b868b1 )
VirIT	Trojan.Win32.PSWStealer.DAU
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.GZZF
McAfee	Artemis!098621A8FA13
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan-Downloader.MSIL.PBLoader.v
Alibaba	TrojanDownloader:Win64/PBLoader.27509cb8
NANO-Antivirus	Trojan.Win64.Inject5.kqjjyr
MicroWorld-eScan	Trojan.GenericKD.73757234
Rising	Trojan.Injector!1.FCBE (CLASSIC)
Emsisoft	Trojan.GenericKD.73757234 (B)
F-Secure	Trojan.TR/AD.Nekark.dsfxi
DrWeb	Trojan.Inject5.6732
Zillya	Backdoor.Remcos.Win32.7520
TrendMicro	Trojan.Win64.OPERALOADER.YXEG4Z
McAfeeD	ti!AAE3FA7E1A2C
FireEye	Trojan.GenericKD.73757234
Sophos	Mal/Generic-S
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AD.Nekark.dsfxi
MAX	malware (ai score=87)
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	MSIL.Trojan-Downloader.PBLoader.v
Microsoft	Trojan:Win64/AgentTesla!MTB
ViRobot	Trojan.Win.Z.Agent.2162272
ZoneAlarm	Trojan-Downloader.MSIL.PBLoader.v
GData	Trojan.GenericKD.73757234
AhnLab-V3	Trojan/Win.MalwareX-gen.R659729
DeepInstinct	MALICIOUS
VBA32	TrojanDownloader.MSIL.PBLoader
Malwarebytes	Malware.AI.4223023271
Ikarus	Trojan.Win64.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win64.OPERALOADER.YXEG4Z
Tencent	Malware.Win32.Gencirc.10c0255e
huorong	HEUR:Trojan/Injector.as
MaxSecure	Trojan.Malware.273327742.susgen

setup2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All