Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 5:37 p.m.	May 18, 2021, 5:37 p.m.

Size	189.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a5292f2ae50ae5ca63dd1ae659548c28`
SHA256	`788891968f40e55bf749ecd6d67ba4fcd7c1d890293586f19a462a3e670cbe35`
CRC32	`C0B7EC66`
ssdeep	`3072:Wpo9pRCZC4uXxON7/IK6zvutuxmZ7TJkF65LyaPsKHuuc6s9Jfra52KR5VjRH40w:clD/Autu4XLtPBHexrK2U5lRHbyeGN`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware IsPE32 - (no description)

Optimize.facebook.ads.exe "C:\Users\test22\AppData\Local\Temp\Optimize.facebook.ads.exe"
1116

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

section	.00cfg
section	.voltbl

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2021, 5:37 p.m.	stacktrace: 0x340bc8 optimize+0x22e5 @ 0xfe22e5 optimize+0x2e8c @ 0xfe2e8c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1636116 registers.edi: 3410889 registers.eax: 1 registers.ebp: 1636572 registers.edx: 1 registers.ebx: 2130567169 registers.esi: 1970488159 registers.ecx: 2	1	0	0

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2021, 5:37 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 94208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 5:37 p.m.	process_identifier: 1116 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2021, 5:37 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

section

{u'size_of_data': u'0x0001aa00', u'virtual_address': u'0x00019000', u'entropy': 7.494755393517896, u'name': u'.rsrc', u'virtual_size': u'0x0001a994'}

entropy

7.49475539352

description

A section with a high entropy has been found

entropy

0.564986737401

description

Overall entropy of this PE file is high

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36890514
FireEye	Generic.mg.a5292f2ae50ae5ca
CAT-QuickHeal	Trojan.Inject
ALYac	Trojan.GenericKD.36890514
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.ae50ae
BitDefenderTheta	AI:Packer.8E7A02FE1F
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
BitDefender	Trojan.GenericKD.36890514
AegisLab	Trojan.Win32.Malicious.4!c
Ad-Aware	Trojan.GenericKD.36890514
Emsisoft	Trojan.GenericKD.36890514 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.cc
Sophos	ML/PE-A
MAX	malware (ai score=85)
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Trojan.Win32.Downloader.sa
GData	Trojan.GenericKD.36890514
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.Generic.C4469869
McAfee	Artemis!A5292F2AE50A
Malwarebytes	Malware.AI.4283024641
TrendMicro-HouseCall	TROJ_GEN.R002H09E921
Rising	Trojan.Inject!8.103 (CLOUD)
SentinelOne	Static AI - Suspicious PE
Fortinet	Malicious_Behavior.SB
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_80% (W)

Optimize.facebook.ads.exe