Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 26, 2025, 2:47 p.m.	Feb. 26, 2025, 2:49 p.m.

Size	148.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4871c39a4a7c16a4547820b8c749a32c`
SHA256	`8aa3e2705e32e8175242fcf19391ab909037111f19cf5f9953885c911f440453`
CRC32	`11D1798D`
ssdeep	`3072:9RmS+WQuCw5fp4b/7XHrRKl/OiJeNKUjQsFZy+j6WafP:6vu5fp4Dcl/OMeNfsEjiX`
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

q3na5Mc.exe "C:\Users\test22\AppData\Local\Temp\q3na5Mc.exe"
1932
- q3na5Mc.exe "C:\Users\test22\AppData\Local\Temp\q3na5Mc.exe"
  2068

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 23.49.154.73	23.49.154.73

IP Address	Status	Action
149.154.167.99	Active	Moloch
159.69.100.232	Active	Moloch
164.124.101.2	Active	Moloch
23.49.154.73	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 26, 2025, 2:47 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 26, 2025, 2:47 p.m.			0	0
IsDebuggerPresent Feb. 26, 2025, 2:47 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 26, 2025, 2:47 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.css

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 26, 2025, 2:47 p.m.	stacktrace: exception.instruction_r: 8b 31 85 f6 eb 08 8d bd d5 04 00 00 eb 12 64 8b exception.instruction: mov esi, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x24022d4 registers.esp: 3140976 registers.edi: 37757017 registers.eax: 1971261501 registers.ebp: 37756880 registers.edx: 37757119 registers.ebx: 0 registers.esi: 2939456477 registers.ecx: 2977213981	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199829660832

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199829660832

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02401000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00022600', u'virtual_address': u'0x00008000', u'entropy': 7.998742257488845, u'name': u'.css', u'virtual_size': u'0x00022600'}

entropy

7.99874225749

description

A section with a high entropy has been found

entropy

0.93537414966

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://t.me/l793oy
url	http://localhost
url	https://steamcommunity.com/profiles/76561199829660832

Yara rule detected in process memory (19 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Communicates with host for which no DNS query was performed (1 event)

host

159.69.100.232

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 2068 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: ÝÏA base_address: 0x00425000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: ó@ base_address: 0x00426000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: 0 H`pC<?xml version="1.0" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false'/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00427000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2068 process_handle: 0x000001fc	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x000001fc	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	q3na5Mc.exe				useragent
process	q3na5Mc.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 called NtSetContextThread to modify thread in remote process 2068
NtSetContextThread Feb. 26, 2025, 2:47 p.m.	registers.eip: 2005598660 registers.esp: 2357476 registers.edi: 0 registers.eax: 4289040 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f8 process_identifier: 2068	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1932 resumed a thread in remote process 2068
NtResumeThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2068	1	0	0

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1932	1	0
NtResumeThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW Feb. 26, 2025, 2:47 p.m.	thread_identifier: 2072 thread_handle: 0x000001f8 process_identifier: 2068 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\q3na5Mc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\q3na5Mc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001fc	1	1
NtGetContextThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x000001f8	1	0
NtAllocateVirtualMemory Feb. 26, 2025, 2:47 p.m.	process_identifier: 2068 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001fc	1	0
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: base_address: 0x00401000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: base_address: 0x0041e000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: base_address: 0x00422000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: ÝÏA base_address: 0x00425000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: ó@ base_address: 0x00426000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: 0 H`pC<?xml version="1.0" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false'/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00427000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: base_address: 0x00428000 process_identifier: 2068 process_handle: 0x000001fc	1	1
WriteProcessMemory Feb. 26, 2025, 2:47 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2068 process_handle: 0x000001fc	1	1
NtSetContextThread Feb. 26, 2025, 2:47 p.m.	registers.eip: 2005598660 registers.esp: 2357476 registers.edi: 0 registers.eax: 4289040 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f8 process_identifier: 2068	1	0
NtResumeThread Feb. 26, 2025, 2:47 p.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2068	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stelpak.4!c
Skyhigh	BehavesLike.Win32.Generic.cc
ALYac	Gen:Variant.MSILHeracles.179021
Cylance	Unsafe
VIPRE	Gen:Variant.MSILHeracles.179021
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.MSILHeracles.179021
K7GW	Riskware ( 00584baa1 )
Arcabit	Trojan.MSILHeracles.D2BB4D
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Vidar.A
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Msilzilla-10042543-0
Kaspersky	HEUR:Trojan.MSIL.Stelpak.gen
MicroWorld-eScan	Gen:Variant.MSILHeracles.179021
Rising	Malware.Obfus/MSIL@AI.87 (RDM.MSIL2:pquuXHkCF4jmWjNmdErbDg)
Emsisoft	Gen:Variant.MSILHeracles.179021 (B)
F-Secure	Trojan.TR/AD.Nekark.tokfw
McAfeeD	Real Protect-LS!4871C39A4A7C
CTX	exe.trojan.msil
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4871c39a4a7c16a4
Google	Detected
Avira	TR/AD.Nekark.tokfw
Kingsoft	malware.kb.c.999
Gridinsoft	Trojan.Heur!.020120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Win32.Trojan.Kryptik.C3RR0F
Varist	W32/MSIL_Kryptik.MAV.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5731599
McAfee	GenericRXWQ-QK!4871C39A4A7C
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.MSIL.Krypt
Panda	Trj/Chgt.AD
huorong	Trojan/MSIL.Agent.vl
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ANCY!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml

q3na5Mc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All