popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

updatedata.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 8, 2021, 5:55 p.m. April 8, 2021, 6:27 p.m.
Size 591.0KB
Type MS-DOS executable, MZ for MS-DOS
MD5 1e949d5238fbf2ade45c91bb54de22ea
SHA256 01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
CRC32 0BEA7F32
ssdeep 6144:Mmrb/itFCWlItHUvApF2RFj9ChhPRA1xI05Wq8nWmnxa6Trtvdxo1HdP9vYc7R56:n7iuUvUF2JcpqcqqWmomtVK19Pqcl5e
Yara
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
  • PE_Header_Zero - PE File Signature Zero
  • IsPE64 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasModified_DOS_Message - DOS Message Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .MPRESS1
section .MPRESS2
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895
stacktrace+0x84 memdup-0x1af @ 0x72e10470
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb
updatedata+0xc1ab7 @ 0x1400c1ab7
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff
0x13bfff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77210895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 4388408
registers.rsi: 5370007552
registers.r10: 0
registers.rbx: 1994665712
registers.rsp: 4390664
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 4389752
registers.r12: 0
registers.rbp: 0
registers.rdi: 5368709487
registers.rax: 4388088
registers.r13: 0
1 0 0
section {u'size_of_data': u'0x00063400', u'virtual_address': u'0x00001000', u'entropy': 7.999479824530892, u'name': u'.MPRESS1', u'virtual_size': u'0x0013d000'} entropy 7.99947982453 description A section with a high entropy has been found
entropy 0.680377035133 description Overall entropy of this PE file is high
host 172.217.25.14
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46028855
FireEye Trojan.GenericKD.46028855
ALYac Trojan.GenericKD.46028855
Cylance Unsafe
Sangfor Trojan.Win32.Wacatac.B
Alibaba TrojanPSW:MSIL/Agensla.aca34ac4
Cybereason malicious.da91bd
Arcabit Trojan.Generic.D2BE5837
Symantec Trojan.Gen.2
APEX Malicious
Avast FileRepMalware
Kaspersky Trojan-PSW.MSIL.Agensla.uqc
BitDefender Trojan.GenericKD.46028855
Rising Ransom.Blocker!8.12A (CLOUD)
Ad-Aware Trojan.GenericKD.46028855
Emsisoft Trojan.GenericKD.46028855 (B)
McAfee-GW-Edition Artemis!Trojan
MAX malware (ai score=81)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan.Ilgergop.BCALTY
AhnLab-V3 Trojan/Win32.Miner.C2333227
McAfee Artemis!1E949D5238FB
eGambit PE.Heur.InvalidSig
Fortinet W32/PossibleThreat
AVG FileRepMalware
CrowdStrike win/malicious_confidence_80% (W)