Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 30, 2025, 1:30 p.m.	April 30, 2025, 1:32 p.m.

Size	7.8MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a44e7983d18166149c75b3511896467b`
SHA256	`9145705f16a5c8ce8128315cab3d882efc609231b64a6ff335482ad511a250a3`
CRC32	`18D665D8`
ssdeep	`98304:amBol9f1/tOWgITDOOMoJklAeSJ8U3IpaGmhU:JKmHOP+lAeG8U3OaGO`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer RedLine_Stealer_b_Zero - RedLine stealer Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file detect_Redline_Stealer_V2 - (no description)

24321.exe "C:\Users\test22\AppData\Local\Temp\24321.exe"
2644

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49162 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 30, 2025, 1:30 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 30, 2025, 1:30 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 30, 2025, 1:30 p.m.			0	0
IsDebuggerPresent April 30, 2025, 1:30 p.m.			0	0
IsDebuggerPresent April 30, 2025, 1:30 p.m.			0	0
IsDebuggerPresent April 30, 2025, 1:30 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2025, 1:30 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:30 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 30, 2025, 1:30 p.m.	flags: 15 family: 0		111	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Dump.i!c
CAT-QuickHeal	Trojan.Ghanarava.174524216396467b
Skyhigh	BehavesLike.Win32.Generic.wh
ALYac	Dump:Generic.Ransom.KrakenB.611087DD
Cylance	Unsafe
VIPRE	Dump:Generic.Ransom.KrakenB.611087DD
Sangfor	Infostealer.Msil.Browsstl.V4vm
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.Ransom.KrakenB.611087DD
K7GW	Spyware ( 0056dd401 )
K7AntiVirus	Spyware ( 0056dd401 )
Arcabit	Dump:Generic.Ransom.KrakenB.D9530FDD
VirIT	Trojan.Win32.MSIL.IAM
Symantec	Infostealer
Elastic	Windows.Generic.Threat
ESET-NOD32	MSIL/Spy.Agent.FEG
APEX	Malicious
Avast	Win32:MalwareX-gen [Pws]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
Alibaba	TrojanPSW:MSIL/Browsstl.e7cf4c92
MicroWorld-eScan	Dump:Generic.Ransom.KrakenB.611087DD
Rising	Stealer.Phemedrone!1.F3D5 (CLASSIC)
Emsisoft	Dump:Generic.Ransom.KrakenB.611087DD (B)
F-Secure	Trojan.TR/AD.GenSteal.qtefi
DrWeb	Trojan.PWS.Stealer.41994
Zillya	Trojan.Stealer.Win32.198604
TrendMicro	Backdoor.Win32.XWORM.YXFDEZ
McAfeeD	ti!9145705F16A5
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.msil
Sophos	Troj/Steal-FDX
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.MSIL.eymi
Webroot	Win.Redline.Stealer
Google	Detected
Avira	TR/AD.GenSteal.qtefi
Microsoft	PWS:MSIL/Browsstl.GG!MTB
ZoneAlarm	Troj/Steal-FDX
GData	MSIL.Trojan.Agent.AVQ
Varist	W32/MSIL_RedLine.B.gen!Eldorado
AhnLab-V3	Trojan/Win.Evital.C5747435
McAfee	Artemis!A44E7983D181
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.InfoStealer.gen.D
Malwarebytes	Crypt.Trojan.MSIL.DDS
Ikarus	Trojan-Spy.RedLineStealer
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.Win32.XWORM.YXFDEZ
Tencent	Malware.Win32.Gencirc.14655b71
Yandex	Trojan.Agent!XCFr2kk9pB4

24321.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All