Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.09 10:09
vjgg.exe
09.09 10:09
lnef.exe
09.09 10:09
1.exe
09.09 10:09
oclo.exe
09.09 10:09
pclient.exe
09.09 10:09
lemon.exe
09.09 10:09
responsibilityleadpro.exe
09.09 09:09
Twitch x Loot Lab Even...
09.09 09:09
66dcad8f5f33a_crypted.exe
09.09 09:09
sgf.exe

Latest News
09.09 01:09
U.S. Offers $10 Millio...
09.09 01:09
밸롭·웨이든, 24FW 뉴 컬렉션 런칭에...
09.09 01:09
플로리아, 층간소음매트부문 '2024년 ...
09.09 01:09
웹 예능 '기억을 잊는 밤' 누적 조회수...
09.09 01:09
한국장학진흥원, 심리상담사 자격증 24종...
09.09 01:09
코드크레용 'Shortime', 글로벌 ...
09.09 01:09
핀블랙(PINBLACK), 빈티지 '여성...
09.09 01:09
Why ICS Is the Busines...
09.09 01:09
ISC Stormcast For Mond...
09.09 01:09
KISA, 국내 정보보호기업 중동지역 수...

Summary | ZeroBOX

rets.exe

OS Processor Check PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2021, 9:31 a.m.	May 20, 2021, 9:40 a.m.

Size	290.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`c344e0908b85d5fda0f5c51e815d977e`
SHA256	`353bb0de2e0c9f16d17f74e81708c2cd7cbf07cf5845a8652f0f27f97d8a3161`
CRC32	`1CC2D441`
ssdeep	`6144:kI1Fscig7jAE0g6n3rPB4b569ncFqea9Z/2TB+ZAqIU4YA6SPhnAcX+4Jt+x9EEN:Yb1R2TIGqIU4YJSpt+4JUB`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check

rets.exe "C:\Users\test22\AppData\Local\Temp\rets.exe"
1016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 20, 2021, 9:31 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2021, 9:31 a.m.	process_identifier: 1016 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000140000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

FireEye	Generic.mg.c344e0908b85d5fd
CrowdStrike	win/malicious_confidence_60% (W)
APEX	Malicious
Microsoft	Trojan:Script/Phonzy.B!ml
Cynet	Malicious (score: 100)
Cybereason	malicious.a13ee5

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptHashData May 20, 2021, 9:31 a.m.	buffer: 01ca0431 fdb0c77c.01ca0431 fec9a6f8.TEST22-PC.7c6024ad hash_handle: 0x000000000035b7d0 flags: 0	1	1	0