Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 23, 2021, 11:17 a.m.	March 23, 2021, 11:22 a.m.

Size	1.4MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`8f251ae83b2c4898354f35d4bbba2c03`
SHA256	`8e3342f663e3f729f49aca6bf15eb99f2327bf83a7a72e8f28c04803aa766bd4`
CRC32	`D57F046E`
ssdeep	`24576:gU7ecSgL6y+gk+rnxdarFc3rn0Y5zmzRf1P2MVMbx4XclQ:gUzS65+x+rnxYr8rnL5yzpVM6XcS`
PDB Path	C:\Users\illusie\source\repos\krnl_console_bootstrapper\krnl_console_bootstrapper\obj\Release\krnl_console_bootstrapper.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero escalate_priv - Escalade priviledges win_token - Affect system token win_files_operation - Affect private profile IsPE32 - (no description) IsNET_EXE - (no description) IsConsole - (no description) HasDebugData - DebugData Check Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

krnl_console_bootstrapper.exe "C:\Users\test22\AppData\Local\Temp\krnl_console_bootstrapper.exe"
2648

Name	Response	Post-Analysis Lookup
cdn.krnl.ca	A 172.67.202.108 A 104.21.37.17	104.21.37.17
k-storage.com	A 104.21.42.186 A 172.67.208.22	104.21.42.186

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.202.108	Active	Moloch
172.67.208.22	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 172.67.202.108:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 172.67.208.22:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49199 172.67.202.108:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	55:67:4c:76:ae:a7:2e:4e:4b:33:77:90:f3:50:2e:c6:93:ae:89:cb
TLSv1 192.168.56.101:49202 172.67.208.22:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:db:3c:cf:a7:d3:ab:8a:37:54:48:18:0d:84:8c:ad:6a:49:18:15

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 23, 2021, 11:17 a.m.			0	0
IsDebuggerPresent March 23, 2021, 11:17 a.m.			0	0

Command line console output was observed (31 events)

Time & API	Arguments	Status	Return
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Credit: sean.#1749 console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Discord: https://krnl.ca/invite.php console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Bootstrapper: https://keshhub.com/bootstrapper/krnl_console_bootstrapper.exe console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Checking if KRNL is patched console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Fetching the krnl files... console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Fetched the checksum of the krnl files console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INFO console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Downloading the files may take long console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] bin/Monaco.zip console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] bin/src.7z console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] Bunifu_UI_v1.5.3.dll console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] ScintillaNET.dll console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] krnl.dll console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] krnlss.exe console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: INSTALL console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] krnlss.exe.config console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ERROR console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: ] [bin/Monaco.zip] Please turn off your anti-virus and try again! console_handle: 0x00000007	1	1
WriteConsoleA March 23, 2021, 11:17 a.m.	buffer: Press any key to exit... console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\illusie\source\repos\krnl_console_bootstrapper\krnl_console_bootstrapper\obj\Release\krnl_console_bootstrapper.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 23, 2021, 11:17 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.krnl.ca/version.txt
suspicious_features	GET method with no useragent header				suspicious_request	GET https://k-storage.com/bootstrapper/files/hashs.php

Performs some HTTP requests (2 events)

request	GET https://cdn.krnl.ca/version.txt
request	GET https://k-storage.com/bootstrapper/files/hashs.php

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 23, 2021, 11:17 a.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 23, 2021, 11:17 a.m.	flags: 15 family: 0		111	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 23, 2021, 11:17 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

krnl_console_bootstrapper.exe tried to sleep 2728163 seconds, actually delayed analysis time by 2728163 seconds

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

McAfee	GenericRXAA-AA!8F251AE83B2C
Sangfor	Trojan.Win32.Zpevdo.B
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.83b2c4
APEX	Malicious
Sophos	Mal/Generic-S
Comodo	Malware@#2cvdlasfg84hu
McAfee-GW-Edition	Artemis!Trojan
Microsoft	Trojan:Win32/Zpevdo.B
BitDefenderTheta	Gen:NN.ZemsilF.34628.xn0@a8hnPTn
Rising	Trojan.Zpevdo!8.F912 (CLOUD)
Webroot	W32.Malware.Gen

krnl_console_bootstrapper.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All