Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 14, 2021, 10:01 a.m.	April 14, 2021, 10:04 a.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e891577b2d323d94f32ccc6bc52eadd9`
SHA256	`cf42db8a9fd6c9c806cd2d1dccc54228babd51121f29ff928dc095d7f337aac9`
CRC32	`F678348C`
ssdeep	`49152:yVbgW+uTTZfEX3H36GodbHYBbZalIrzwkvl+fsJI+SJNrBmVEXkUGHlWA3HylLvi:4JcHqFbHS/zRt+f+INrBmV0GHRHr`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.243.108.143	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section
section	orgbxfez
section	urgdwfku

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0000a400', u'virtual_address': u'0x00002000', u'entropy': 7.976839165762438, u'name': u' \\x00 ', u'virtual_size': u'0x0001c000'}

entropy

7.97683916576

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0001e000', u'entropy': 7.984308658516933, u'name': u'.rsrc', u'virtual_size': u'0x0001e578'}

entropy

7.98430865852

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00338800', u'virtual_address': u'0x0041c000', u'entropy': 7.900526195767064, u'name': u'orgbxfez', u'virtual_size': u'0x0033a000'}

entropy

7.90052619577

description

A section with a high entropy has been found

entropy

0.999558433912

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

192.243.108.143

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.243.108.143:1177

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46083009
FireEye	Generic.mg.e891577b2d323d94
Qihoo-360	Win32/TrojanPSW.Generic.HgIASSgA
ALYac	Gen:Trojan.Heur.uB0a4uusmIh
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0053e3381 )
Alibaba	Packed:Win32/Themida.f36633b5
K7GW	Trojan ( 0053e3381 )
Cybereason	malicious.b2d323
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.ATV
APEX	Malicious
Avast	Win32:Trojan-gen
Kaspersky	Backdoor.MSIL.Crysan.bpv
BitDefender	Trojan.GenericKD.46083009
Paloalto	generic.ml
Ad-Aware	Trojan.GenericKD.46083009
Emsisoft	Trojan.GenericKD.46083009 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Sophos	Generic PUA NF (PUA)
Ikarus	Trojan.Win32.Themida
Avira	TR/Crypt.XPACK.Gen
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Heur!.038100A1
Arcabit	Trojan.Generic.D2BF2BC1
AegisLab	Trojan.Win32.Uusmih.4!c
GData	Trojan.GenericKD.46083009
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!E891577B2D32
MAX	malware (ai score=81)
Malwarebytes	Trojan.MalPack.Themida
TrendMicro-HouseCall	TROJ_GEN.R002H09DB21
Rising	Malware.Heuristic!ET#99% (RDMK:cmRtazrHZi2g1ksJkzfx0d8SdwLU)
SentinelOne	Static AI - Suspicious PE
Fortinet	W32/PossibleThreat
BitDefenderTheta	AI:Packer.4DC1B2B51B
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_100% (W)

data.pdf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All