Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 21, 2024, 1:30 p.m.	Aug. 21, 2024, 1:42 p.m.

Size	5.4MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0bdfd2ac36beee175c70cce6e11ed893`
SHA256	`dab2dc490b25687fd6052d53dafa3a74d7685a5429a371a8232f1340d1d498ca`
CRC32	`E773D196`
ssdeep	`49152:PE6MnvrVw/3ldUBiuPvjjhyynrDHht9iyvXER3M3Pq:PvvSnvBqyvUoS`
PDB Path	back7top_managment.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command Is_DotNET_EXE - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66b9d0b4a2cab_stealc.exe "C:\Users\test22\AppData\Local\Temp\66b9d0b4a2cab_stealc.exe"
2068

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
82.147.84.78	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 1:30 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 1:30 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

back7top_managment.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:30 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00310400', u'virtual_address': u'0x00002000', u'entropy': 7.412719517998859, u'name': u'.text', u'virtual_size': u'0x003103c4'}

entropy

7.412719518

description

A section with a high entropy has been found

entropy

0.570519232518

description

Overall entropy of this PE file is high

Yara rule detected in process memory (12 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 496453b90921b2f466df5740285cb4eb6ebe5186
buffer	Buffer with sha1: 6d32c8466ac52ac7948f4e6a5027078959e82602
buffer	Buffer with sha1: 3d1c2dd1d9b72dbbe5266635600065e8e6133ef2

Communicates with host for which no DNS query was performed (1 event)

host

82.147.84.78

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2144 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 manipulating memory of non-child process 2144
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2144 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 injected into non-child 2144
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¿·fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2144 process_handle: 0x00000220	1	1	0
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2144 process_handle: 0x00000220	1	1	0
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2144 process_handle: 0x00000220	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 injected into non-child 2144
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¿·fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2144 process_handle: 0x00000220	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 called NtSetContextThread to modify thread in remote process 2144
NtSetContextThread Aug. 21, 2024, 1:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2144	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2068 resumed a thread in remote process 2144
NtResumeThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2144	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

82.147.84.78:80

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2068	1	0
NtResumeThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2068	1	0
CreateProcessInternalW Aug. 21, 2024, 1:30 p.m.	thread_identifier: 2148 thread_handle: 0x00000240 process_identifier: 2144 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66b9d0b4a2cab_stealc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\66b9d0b4a2cab_stealc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000220	1	1
NtGetContextThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory Aug. 21, 2024, 1:30 p.m.	process_identifier: 2144 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000220	1	0
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL¿·fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2144 process_handle: 0x00000220	1	1
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: base_address: 0x00401000 process_identifier: 2144 process_handle: 0x00000220	1	1
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2144 process_handle: 0x00000220	1	1
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2144 process_handle: 0x00000220	1	1
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: base_address: 0x0063e000 process_identifier: 2144 process_handle: 0x00000220	1	1
WriteProcessMemory Aug. 21, 2024, 1:30 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2144 process_handle: 0x00000220	1	1
NtSetContextThread Aug. 21, 2024, 1:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 2144	1	0
NtResumeThread Aug. 21, 2024, 1:30 p.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2144	1	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealc.i!c
Elastic	malicious (high confidence)
CAT-QuickHeal	Trojan.Agent
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.73832153
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73832153
Sangfor	Trojan.Msil.Stealerc.Vbo4
K7AntiVirus	Trojan ( 005b64561 )
BitDefender	Trojan.GenericKD.73832153
K7GW	Trojan ( 005b64561 )
Cybereason	malicious.c36bee
Arcabit	Trojan.Generic.D46696D9
VirIT	Trojan.Win32.MSIL.HDC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ALRR
McAfee	Artemis!0BDFD2AC36BE
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
Alibaba	Trojan:MSIL/Kryptik.9978cf2c
MicroWorld-eScan	Trojan.GenericKD.73832153
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:jOEiSyVQRGRqMftL6rgvRQ)
Emsisoft	Trojan.GenericKD.73832153 (B)
F-Secure	Trojan.TR/AD.Stealc.hefip
TrendMicro	TrojanSpy.Win32.STEALC.YXEHLZ
McAfeeD	ti!DAB2DC490B25
FireEye	Generic.mg.0bdfd2ac36beee17
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Google	Detected
Avira	TR/AD.Stealc.hefip
MAX	malware (ai score=84)
Antiy-AVL	Trojan[PSW]/MSIL.StealerC
Kingsoft	MSIL.Trojan-PSW.Stealerc.gen
Gridinsoft	Malware.Win32.Stealc.tr
Xcitium	Malware@#1cu9njnxtlwgo
Microsoft	Trojan:Win32/Stealerc.GAB!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Trojan.GenericKD.73832153
Varist	W32/ABTrojan.EFYW-5743
AhnLab-V3	Trojan/Win.Injection.C5658245
BitDefenderTheta	Gen:NN.ZemsilCO.36812.@tZ@aeenp0i
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXEHLZ
Tencent	Malware.Win32.Gencirc.11c5a1b9
huorong	Trojan/MSIL.Agent.ls

66b9d0b4a2cab_stealc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All