Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 10, 2024, 10:12 a.m.	Sept. 10, 2024, 10:20 a.m.

Size	5.3MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`bd34c12dc1eb99f17fd0cbd581dfce9f`
SHA256	`f7e542218783c81229c438685de0c7c29a619790796833069eddb97b2eb34d29`
CRC32	`87B08838`
ssdeep	`98304:u6uOqwd6d8sD5pWi2LvwhkYdB3xLXe0AwAOnt:u66wd62uci0Ske3x7e0AwAOn`
PDB Path	finesoft.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66dda11e4dbe5_crystealc.exe#kiscrypto "C:\Users\test22\AppData\Local\Temp\66dda11e4dbe5_crystealc.exe#kiscrypto"
1704
- 66dda11e4dbe5_crystealc.exe#kiscrypto "C:\Users\test22\AppData\Local\Temp\66dda11e4dbe5_crystealc.exe#kiscrypto"
  2516

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.152.113.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 45.152.113.10:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 10, 2024, 10:13 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Sept. 10, 2024, 10:13 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 10, 2024, 10:12 a.m.			0	0
IsDebuggerPresent Sept. 10, 2024, 10:12 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

finesoft.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 10, 2024, 10:12 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://45.152.113.10/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://45.152.113.10/92335b4816f77e90.php

Performs some HTTP requests (2 events)

request	GET http://45.152.113.10/
request	POST http://45.152.113.10/92335b4816f77e90.php

Sends data using the HTTP POST Method (1 event)

request

POST http://45.152.113.10/92335b4816f77e90.php

Allocates read-write-execute memory (usually to unpack itself) (47 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0029a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00551000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2024, 10:12 a.m.	process_identifier: 1704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01171000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01177000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0117a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0117b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0117c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 1704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fcf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00526600', u'virtual_address': u'0x00002000', u'entropy': 7.572239612352342, u'name': u'.text', u'virtual_size': u'0x005264d4'}

entropy

7.57223961235

description

A section with a high entropy has been found

entropy

0.97467886517

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 10, 2024, 10:12 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (14 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (1 event)

host

45.152.113.10

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 2516 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL&M×fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2516 process_handle: 0x00000234	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL&M×fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x00000234	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1704 called NtSetContextThread to modify thread in remote process 2516
NtSetContextThread Sept. 10, 2024, 10:13 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2516	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1704 resumed a thread in remote process 2516
NtResumeThread Sept. 10, 2024, 10:13 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2516	1	0	0

Executed a process and injected code into it, probably while unpacking (14 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 10, 2024, 10:12 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1704	1	0
NtResumeThread Sept. 10, 2024, 10:12 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1704	1	0
NtResumeThread Sept. 10, 2024, 10:12 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 1704	1	0
CreateProcessInternalW Sept. 10, 2024, 10:13 a.m.	thread_identifier: 2520 thread_handle: 0x00000238 process_identifier: 2516 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66dda11e4dbe5_crystealc.exe#kiscrypto track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\66dda11e4dbe5_crystealc.exe#kiscrypto stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000234	1	1
NtGetContextThread Sept. 10, 2024, 10:13 a.m.	thread_handle: 0x00000238	1	0
NtAllocateVirtualMemory Sept. 10, 2024, 10:13 a.m.	process_identifier: 2516 region_size: 2371584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000234	1	0
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $¢båæõ¶æõ¶æõ¶u^¶þõ¶uk¶ëõ¶u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶uZ¶ôõ¶uh¶çõ¶Richæõ¶PEL&M×fà ÈB"dà@0$@È©<à#\|$àô.textJÆÈ à.rdataÞÎàÐÌ@@.data+!°@À.reloc*Dà#F¨@B base_address: 0x00400000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: base_address: 0x00401000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: base_address: 0x0041e000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: LáA.?AVtype_info@@Næ@»±¿D ! 5A CPR S WYl m pr ) ¡¤§ ·Î× ÿÿÿÿÿÿÿÿÈAÈAÈAÈAÈAÈAÈAÈAÈAÈAC$÷A ÷A÷A÷A÷A÷A÷A÷AüöAôöAèöAÜöAÔöAÈöAÄöAÀöA¼öA¸öA´öA°öA¬öA¨öA¤öA öAöAöAöAöA\|öAtöA´öAlöAdöA\öAPöAHöA<öA0öA,öA(öAöAöAüõA ôõAìõAäõAÜõAÔõAÌõAÄõA´õA¤õAõAõAlõA\õAHõA@õA8õA0õA(õA õAõAõAõAõAøôAðôAèôAØôAÄôA¸ôA¬ôA õA ôAôAôApôA`ôALôA8ôA0ôA(ôAôAìóAØóA³B³B³B³B³BÈºB¨øA0ýA°þA³Bx´B abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXµB¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ þÿÿÿ¬úA..ÀºBÈBÈBÈBÈBÈBÈBÈBÈBÈBÄºBÈBÈBÈBÈBÈBÈBÈBÈºB¨øAªúA.LáA.?AVlogic_error@std@@LáA.?AVlength_error@std@@LáA.?AVout_of_range@std@@LáA.?AVexception@std@@LáA.?AVbad_alloc@std@@ base_address: 0x0042b000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: base_address: 0x0063e000 process_identifier: 2516 process_handle: 0x00000234	1	1
WriteProcessMemory Sept. 10, 2024, 10:13 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2516 process_handle: 0x00000234	1	1
NtSetContextThread Sept. 10, 2024, 10:13 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4285584 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000238 process_identifier: 2516	1	0
NtResumeThread Sept. 10, 2024, 10:13 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2516	1	0

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealerc.1m!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Tedy.617969
VIPRE	Gen:Variant.Tedy.617969
Sangfor	Infostealer.Win32.Stealerc.Vtu6
BitDefender	Gen:Variant.Tedy.617969
Cybereason	malicious.dc1eb9
Arcabit	Trojan.Tedy.D96DF1
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AMHA
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Packed.Malwarex-10033462-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
Alibaba	TrojanPSW:MSIL/Stealerc.aa8ee5d7
MicroWorld-eScan	Gen:Variant.Tedy.617969
Rising	Stealer.Stealerc!8.17BE0 (LESS:bWQ1Op6MxDciZjxl)
Emsisoft	Gen:Variant.Tedy.617969 (B)
F-Secure	Trojan.TR/AD.Stealc.kmmel
McAfeeD	ti!F7E542218783
FireEye	Generic.mg.bd34c12dc1eb99f1
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.MSIL.Stealerc
Google	Detected
Avira	TR/AD.Stealc.kmmel
MAX	malware (ai score=86)
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	MSIL.Trojan-PSW.Stealerc.gen
Gridinsoft	Ransom.Win32.Bladabindi.sa
Microsoft	Trojan:Win32/Stealerc.GAB!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Gen:Variant.Tedy.617969
McAfee	Artemis!BD34C12DC1EB
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.RedLine.Heur
Malwarebytes	Trojan.Crypt.MSIL.Generic
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEIIZ
Tencent	Msil.Trojan-QQPass.QQRob.Pcnw
huorong	Trojan/Bladabindi.c
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)

66dda11e4dbe5_crystealc.exe#kiscrypto

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All