Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 13, 2021, 9:44 a.m.	May 13, 2021, 9:44 a.m.

Size	546.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`3ccd1b5d4ea318d18cde4f03a6624679`
SHA256	`5b0a167d886fc4a3f6db12efc525f2a68df7132da2964fd4ccbe393701d9d254`
CRC32	`0D180D9A`
ssdeep	`12288:oY8+1sxs5qh9uycgoGnHB5l0XQyWiRmd18A40bCGi0rj8mp9ATPs:PdpDVgJHBv0geRmddx250v8GYPs`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

update201703280212.exe "C:\Users\test22\AppData\Local\Temp\update201703280212.exe"
2388

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 13, 2021, 9:44 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 13, 2021, 9:44 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 13, 2021, 9:44 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 13, 2021, 9:44 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72974000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 13, 2021, 9:44 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (1 event)

name

ZIP

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000515c8

size

0x0006076b

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00087c00', u'virtual_address': u'0x00034000', u'entropy': 7.797780400638962, u'name': u'UPX1', u'virtual_size': u'0x00088000'}

entropy

7.79778040064

description

A section with a high entropy has been found

entropy

0.996330275229

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetectVM.malware1
FireEye	Generic.mg.3ccd1b5d4ea318d1
McAfee	Artemis!3CCD1B5D4EA3
Cylance	Unsafe
Sangfor	Malware
Alibaba	Trojan:Win32/Fugrafa.95b51548
Cyren	W32/Trojan.CSH.gen!Eldorado
APEX	Malicious
Paloalto	generic.ml
AegisLab	Trojan.Win32.Generic.4!c
F-Secure	Heuristic.HEUR/AGEN.1118742
DrWeb	Trojan.DownLoad4.6872
McAfee-GW-Edition	BehavesLike.Win32.Dropper.hc
Sophos	Generic PUA BD (PUA)
Jiangmin	AdWare.Generic.gssa
eGambit	Unsafe.AI_Score_95%
Avira	HEUR/AGEN.1118742
Antiy-AVL	Trojan/Win32.Generic
Gridinsoft	Trojan.Win32.Agent.vb!s2
Microsoft	PUA:Win32/Presenoker
Cynet	Malicious (score: 100)
VBA32	Trojan.Download
Yandex	Trojan.GenAsa!DPzVoG23Lus
Ikarus	Trojan.Fugrafa
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Generic_PUA_BD.KJ!tr
Qihoo-360	Win32/Trojan.419

update201703280212.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All