Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 20, 2021, 9:33 a.m.	May 20, 2021, 9:42 a.m.

Size	272.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5b4bd24d6240f467bfbc74803c9f15b0`
SHA256	`14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e`
CRC32	`1C87F7A2`
ssdeep	`6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

updatewin1.exe "C:\Users\test22\AppData\Local\Temp\updatewin1.exe"
2952

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	NUTAVECEHENUBEPUHUGUWUJEJIXA
resource name	SOJEVILOHAMOCUGOROZOTAHUJAMIJU
resource name	WADUTO

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 20, 2021, 9:33 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (11 events)

name

NUTAVECEHENUBEPUHUGUWUJEJIXA

language

LANG_SERBIAN

filetype

ASCII text, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x00049c78

size

0x00000100

name

SOJEVILOHAMOCUGOROZOTAHUJAMIJU

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x00049d78

size

0x000002d4

name

WADUTO

language

LANG_SERBIAN

filetype

ASCII text, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x00049c08

size

0x00000070

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00044248

size

0x00002c08

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00044248

size

0x00002c08

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00044248

size

0x00002c08

name

RT_ICON

language

LANG_SERBIAN

filetype

dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 351727351, next used block 0

sublanguage

SUBLANG_DEFAULT

offset

0x00043138

size

0x000010a8

name

RT_DIALOG

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000441f8

size

0x0000004c

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a208

size

0x0000036a

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000441e0

size

0x00000014

name

RT_VERSION

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a050

size

0x000001b4

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000a600', u'virtual_address': u'0x00040000', u'entropy': 6.875800779824197, u'name': u'.rsrc', u'virtual_size': u'0x0000a578'}

entropy

6.87580077982

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 20, 2021, 9:33 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.TiggreRP.Trojan
MicroWorld-eScan	Trojan.GenericKD.31534187
CAT-QuickHeal	Ransom.Stop.S7866402
Cylance	Unsafe
Zillya	Trojan.Vilsel.Win32.37830
SUPERAntiSpyware	Trojan.Agent/Gen-Downloader
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00545a541 )
Alibaba	Trojan:Win32/Fareit.b230fdcc
K7GW	Trojan ( 00545a541 )
Cybereason	malicious.d6240f
Cyren	W32/Kryptik.PT.gen!Eldorado
ESET-NOD32	Win32/Agent.AAFU
APEX	Malicious
Avast	Win32:BotX-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.Stealer.fmbxlx
Paloalto	generic.ml
ViRobot	Trojan.Win32.S.GandCrab.279040
Rising	Trojan.Kryptik!1.B582 (KTSE)
Ad-Aware	Trojan.GenericKD.31534187
Sophos	Mal/Generic-R + Mal/GandCrab-G
Comodo	TrojWare.Win32.Ransom.GandCrypt.AA@82gsko
DrWeb	Trojan.PWS.Stealer.24943
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	Trojan.Win32.STOP.AC
Emsisoft	Trojan.Agent (A)
F-Prot	W32/Kryptik.PT.gen!Eldorado
Jiangmin	Trojan.Generic.dcbhq
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.Agent.iyodi
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.vb
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
AhnLab-V3	Win-Trojan/Gandcrab10.Exp
VBA32	BScope.Trojan.Chapak
TACHYON	Ransom/W32.GandCrab.279040
Malwarebytes	Trojan.MalPack.GS
Zoner	Trojan.Win32.80450
TrendMicro-HouseCall	Trojan.Win32.STOP.AC
Tencent	Malware.Win32.Gencirc.114db74c
Yandex	Trojan.GenAsa!0onnx8zfuyY
Ikarus	Trojan-Ransom.Downloader.Stop
eGambit	Unsafe.AI_Score_90%
Fortinet	W32/Generic.AAFU!tr
AVG	Win32:BotX-gen [Trj]
Panda	Trj/WLT.E

updatewin1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All