Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 10:47 a.m.	Aug. 9, 2024, 10:49 a.m.

Size	908.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`85a9287c26148788deff9c77bab244b3`
SHA256	`d7ef63e826cf5bfea0000d292088ea87a5f301e94bb75fe7510a96f36d87d0e9`
CRC32	`05CDFB95`
ssdeep	`12288:svsKFedb7dRWRRIobqOQGwCOySN8bwTSdd25pYC9zltA4xFgCB8:svslXdGVwChxN725pXzbAug`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

Run112.exe "C:\Users\test22\AppData\Local\Temp\Run112.exe"
2544

Name	Response	Post-Analysis Lookup
i.ibb.co	A 172.96.161.6 A 172.96.160.210 A 104.194.8.120 A 172.96.160.183 A 172.96.160.168	172.96.161.6

IP Address	Status	Action
104.194.8.120	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 104.194.8.120:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 9, 2024, 10:47 a.m.			0	0
IsDebuggerPresent Aug. 9, 2024, 10:47 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 10:47 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 9, 2024, 10:47 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 9, 2024, 10:47 a.m.	flags: 1158 family: 0	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 9, 2024, 10:47 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Run112.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
ALYac	Trojan.GenericKD.73792763
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73792763
Sangfor	Trojan.Win32.Kryptik.V7q3
BitDefender	Trojan.GenericKD.73792763
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.RCC
Avast	Win32:CrypterX-gen [Trj]
Alibaba	Trojan:MSIL/GenKryptik.8e6e9f3c
MicroWorld-eScan	Trojan.GenericKD.73792763
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:YVcMuGCJtG8ekIsLr0Q9yg)
Emsisoft	Trojan.GenericKD.73792763 (B)
F-Secure	Trojan.TR/AVI.Agent.hlwzy
TrendMicro	Trojan.Win32.OPERALOADER.YXEHEZ
McAfeeD	ti!D7EF63E826CF
FireEye	Generic.mg.85a9287c26148788
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Krypt
Google	Detected
Avira	TR/AVI.Agent.hlwzy
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	Win32.Troj.Agent.cks
Gridinsoft	Ransom.Win32.Wacatac.cl
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Trojan.GenericKD.73792763
AhnLab-V3	Trojan/Win.Generic.C5656806
DeepInstinct	MALICIOUS
Malwarebytes	Neshta.Virus.FileInfector.DDS
TrendMicro-HouseCall	Trojan.Win32.OPERALOADER.YXEHEZ
Tencent	Malware.Win32.Gencirc.141523fc
huorong	TrojanSpy/MSIL.AgentTesla.ch
Fortinet	MSIL/GenKryptik.GVRV!tr
AVG	Win32:CrypterX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan:MSIL/GenKryptik.GYYT

Run112.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All