Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.27 08:04
main-292e27553c8f5cb8....
04.27 08:04
6814.91bf0d11abffee40....
04.27 08:04
polyfills-c67a75d1b6f9...
04.27 08:04
framework-ca706bf673a1...
04.27 08:04
ee8b1517-cc4d7300db272...
04.27 08:04
_app-8a13ca4ac05f979e....
04.27 08:04
webpack-6751726d88b2d8...
04.27 08:04
gtm.js.pobrane
04.27 08:04
290-f42c07d7b35e4d71.j...
04.27 08:04
75fc9c18-02b28d24f737c...

Latest News
04.27 08:04
Save Cells from the La...
04.27 07:04
Golang backdoor with a...
04.27 07:04
IronHusky updates the ...
04.27 07:04
Linux goes PDF: Wie ei...
04.27 07:04
Digitale Überwachung f...
04.27 06:04
PIF’s Sanabil Backs Mi...
04.27 05:04
Deep Dive on Panel Making
04.27 02:04
Storm-1977 Hits Educat...
04.27 02:04
Creating An Electronic...
04.27 11:04
Another Coil Winder Pr...

Summary | ZeroBOX

file5.exe

Anti_VM PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 8:56 a.m.	May 18, 2021, 9:04 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`723a3fc8d6faeefe3f6ac7eca0f56570`
SHA256	`c77b7a78fc922be3210be594ab333e025c17b3fcd1263abc183b31c3f034c6da`
CRC32	`59EEB65B`
ssdeep	`24576:YAM6WQww8iezyuKhr1yF4iH9OOe4h/Ct5cXXd4PNMK+Nb1nKXvg/YxolSP6org5B:Djrrekhr1WIVS1KfQXf3v6G`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques PE_Header_Zero - PE File Signature IsPE32 - (no description)

file5.exe "C:\Users\test22\AppData\Local\Temp\file5.exe"
1016

Name	Response	Post-Analysis Lookup
api.faceit.com	A 104.17.63.50 A 104.17.62.50	104.17.63.50

IP Address	Status	Action
104.17.63.50	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 104.17.63.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49200 -> 104.17.63.50:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 18, 2021, 8:56 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.themida
section	.loadcon
section	Wb5BZ4Uq

One or more processes crashed (4 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2021, 8:56 a.m.	stacktrace: file5+0x2ec021 @ 0x6ec021 file5+0x2ec0be @ 0x6ec0be exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1638148 registers.edi: 4833280 registers.eax: 1638148 registers.ebp: 1638228 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 2000778283 registers.ecx: 4061659136	1	0	0
__exception__ May 18, 2021, 8:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 a2 db ed ff exception.symbol: file5+0x3257ed exception.instruction: in eax, dx exception.module: file5.exe exception.exception_code: 0xc0000096 exception.offset: 3299309 exception.address: 0x7257ed registers.esp: 1638268 registers.edi: 9318879 registers.eax: 1750617430 registers.ebp: 4833280 registers.edx: 22614 registers.ebx: 0 registers.esi: 6338471 registers.ecx: 20	1	0	0
__exception__ May 18, 2021, 8:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: file5+0x325861 exception.instruction: in eax, dx exception.module: file5.exe exception.exception_code: 0xc0000096 exception.offset: 3299425 exception.address: 0x725861 registers.esp: 1638268 registers.edi: 9318879 registers.eax: 1447909480 registers.ebp: 4833280 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6338471 registers.ecx: 10	1	0	0
__exception__ May 18, 2021, 8:56 a.m.	stacktrace: file5+0x7584 @ 0x407584 file5+0x8ba1 @ 0x408ba1 0x18ffc4 exception.instruction_r: 8a 08 40 84 c9 75 f9 2b c2 50 ff 74 24 0c 8b ce exception.symbol: file5+0x2dbb exception.instruction: mov cl, byte ptr [eax] exception.module: file5.exe exception.exception_code: 0xc0000005 exception.offset: 11707 exception.address: 0x402dbb registers.esp: 1637012 registers.edi: 1 registers.eax: 0 registers.ebp: 1637152 registers.edx: 1 registers.ebx: 0 registers.esi: 4800604 registers.ecx: 4800604	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 18, 2021, 8:56 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 18, 2021, 8:56 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 18, 2021, 8:56 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00492000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 18, 2021, 8:56 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 18, 2021, 8:56 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047f000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00045400', u'virtual_address': u'0x00001000', u'entropy': 7.999328424701181, u'name': u' ', u'virtual_size': u'0x0007d5b2'}

entropy

7.9993284247

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00008200', u'virtual_address': u'0x0007f000', u'entropy': 7.98339332309402, u'name': u' ', u'virtual_size': u'0x00014dc0'}

entropy

7.98339332309

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000c00', u'virtual_address': u'0x00094000', u'entropy': 7.7460485237182155, u'name': u' ', u'virtual_size': u'0x00005824'}

entropy

7.74604852372

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000a00', u'virtual_address': u'0x0009a000', u'entropy': 7.444093416811098, u'name': u' ', u'virtual_size': u'0x00000a80'}

entropy

7.44409341681

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000a00', u'virtual_address': u'0x00359000', u'entropy': 7.300811618281613, u'name': u'Wb5BZ4Uq', u'virtual_size': u'0x000008d0'}

entropy

7.30081161828

description

A section with a high entropy has been found

Checks for the presence of known windows from debuggers and forensic tools (9 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 18, 2021, 8:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA May 18, 2021, 8:56 a.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 18, 2021, 8:56 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2021, 8:56 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d exception.symbol: file5+0x325861 exception.instruction: in eax, dx exception.module: file5.exe exception.exception_code: 0xc0000096 exception.offset: 3299425 exception.address: 0x725861 registers.esp: 1638268 registers.edi: 9318879 registers.eax: 1447909480 registers.ebp: 4833280 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6338471 registers.ecx: 10	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
McAfee	Artemis!723A3FC8D6FA
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.815051
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware
Kaspersky	UDS:Trojan.Win32.Chapak
NANO-Antivirus	Virus.Win32.Gen.ccmw
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
McAfee-GW-Edition	BehavesLike.Win32.Generic.wh
FireEye	Generic.mg.723a3fc8d6faeefe
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_91%
Gridinsoft	Trojan.Heur!.030100A1
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
Cynet	Malicious (score: 100)
BitDefenderTheta	Gen:NN.ZexaF.34690.cJW@auBBBgp
VBA32	BScope.Trojan.Occamy
Rising	Malware.Heuristic!ET#97% (RDMK:cmRtazq1lx8dc2jDmNufOjZow9DK)
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (D)