Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 21, 2024, 1:30 p.m.	Aug. 21, 2024, 1:48 p.m.

Size	2.7MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`3aace51d76b16a60e94636150bd1137e`
SHA256	`b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955`
CRC32	`7012D29C`
ssdeep	`49152:ZI/0Xh92X3FAOkoQgcK1UeVBOHpwIf0bOtW1sLjS8gumDJKm:6O2X33Dcp98bObLBCJv`
PDB Path	`+}NCgF.!atQBk#x5^KA$eb9xk+'lQ:WctA5)G=<XQm1Mp8"[BR =4{!\|j}zRbQw#f%MC$rm#ApCE'aF`.<h-3~0*J
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Antivirus - Contains references to security software UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

meta.exe "C:\Users\test22\AppData\Local\Temp\meta.exe"
632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.89.247.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.89.247.19:80 -> 192.168.56.103:49166	2400003	ET DROP Spamhaus DROP Listed Traffic Inbound group 4	Misc Attack
TCP 192.168.56.103:49166 -> 45.89.247.19:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 45.89.247.19:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

`+}NCgF.!atQBk#x5^KA$eb9xk+'lQ:WctA5)G=<XQm1Mp8"[BR =4{!|j}zRbQw#f%MC$rm#ApCE'aF`.<h-3~0*J

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 1:23 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.managed
section	hydrated

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

BINARY

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000d0400', u'virtual_address': u'0x001a7000', u'entropy': 6.845889175354937, u'name': u'.rdata', u'virtual_size': u'0x000d02e8'}

entropy

6.84588917535

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00087000', u'virtual_address': u'0x0029c000', u'entropy': 7.99941292004399, u'name': u'.rsrc', u'virtual_size': u'0x00086e88'}

entropy

7.99941292004

description

A section with a high entropy has been found

entropy

0.501094890511

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 21, 2024, 1:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

45.89.247.19

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 21, 2024, 1:23 p.m.	process_identifier: 2120 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000014c	1	0	0

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 632 manipulating memory of non-child process 2120
NtUnmapViewOfSection Aug. 21, 2024, 1:23 p.m.	base_address: 0x0000000000400000 region_size: 15794176 process_identifier: 2120 process_handle: 0x000000000000014c		-1073741799	0
NtAllocateVirtualMemory Aug. 21, 2024, 1:23 p.m.	process_identifier: 2120 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000014c	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 632 resumed a thread in remote process 2120
NtResumeThread Aug. 21, 2024, 1:23 p.m.	thread_handle: 0x0000000000000148 suspend_count: 1 process_identifier: 2120	1	0	0

Executed a process and injected code into it, probably while unpacking (5 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 21, 2024, 1:23 p.m.	thread_handle: 0x00000000000000b0 suspend_count: 1 process_identifier: 632	1	0
CreateProcessInternalW Aug. 21, 2024, 1:23 p.m.	thread_identifier: 2124 thread_handle: 0x0000000000000148 process_identifier: 2120 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000000000014c	1	1
NtUnmapViewOfSection Aug. 21, 2024, 1:23 p.m.	base_address: 0x0000000000400000 region_size: 15794176 process_identifier: 2120 process_handle: 0x000000000000014c		-1073741799
NtAllocateVirtualMemory Aug. 21, 2024, 1:23 p.m.	process_identifier: 2120 region_size: 573440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000014c	1	0
NtResumeThread Aug. 21, 2024, 1:23 p.m.	thread_handle: 0x0000000000000148 suspend_count: 1 process_identifier: 2120	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.ChePro.7!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Sality.vc
Sangfor	Trojan.Win32.Kryptik.Vt0p
VirIT	Trojan.Win64.Agent.HDH
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.HASK
APEX	Malicious
McAfee	Artemis!3AACE51D76B1
Avast	Win64:Evo-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win64/GenKryptik.32d12086
Rising	Trojan.Injector!1.FCBE (CLASSIC)
F-Secure	Trojan.TR/Crypt.Agent.dwivl
DrWeb	Trojan.DownLoaderNET.786
TrendMicro	Trojan.Win64.AMADEY.YXEHUZ
McAfeeD	ti!B51004463E8C
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Google	Detected
Avira	TR/Crypt.Agent.dwivl
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Heur!.02212023
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Genkryptik.2806784
ZoneAlarm	Trojan-Spy.Win32.Stealer.fisz
GData	MSIL.Trojan-Stealer.MetaStealer.PV3UOF
Varist	W64/Kryptik.GSE
AhnLab-V3	Malware/Win.Generic.C5659650
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win64.AMADEY.YXEHUZ
Tencent	Malware.Win32.Gencirc.1416c9b5
huorong	HEUR:Trojan/Injector.as
Fortinet	W64/GenKryptik.MAGC!tr
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[stealer]:Win/Wacapew.C9nj

meta.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All