Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 20, 2021, 9:33 a.m.	May 20, 2021, 10:14 a.m.

Size	274.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`996ba35165bb62473d2a6743a5200d45`
SHA256	`5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d`
CRC32	`5F666E64`
ssdeep	`6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

updatewin2.exe "C:\Users\test22\AppData\Local\Temp\updatewin2.exe"
4656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	NUTAVECEHENUBEPUHUGUWUJEJIXA
resource name	SOJEVILOHAMOCUGOROZOTAHUJAMIJU
resource name	WADUTO

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 20, 2021, 9:33 a.m.	process_identifier: 4656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (11 events)

name

NUTAVECEHENUBEPUHUGUWUJEJIXA

language

LANG_SERBIAN

filetype

ASCII text, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x000403c8

size

0x00000100

name

SOJEVILOHAMOCUGOROZOTAHUJAMIJU

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x000404c8

size

0x000002d4

name

WADUTO

language

LANG_SERBIAN

filetype

ASCII text, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x0004079c

size

0x00000070

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004637c

size

0x00002c08

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004637c

size

0x00002c08

name

RT_BITMAP

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004637c

size

0x00002c08

name

RT_ICON

language

LANG_SERBIAN

filetype

dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 234027254, next used block 0

sublanguage

SUBLANG_DEFAULT

offset

0x00048f84

size

0x000010a8

name

RT_DIALOG

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a02c

size

0x0000004c

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a078

size

0x0000036a

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a3e4

size

0x00000014

name

RT_VERSION

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x0004a3f8

size

0x000001a4

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000a800', u'virtual_address': u'0x00040000', u'entropy': 6.8837235619312915, u'name': u'.rsrc', u'virtual_size': u'0x0000a724'}

entropy

6.88372356193

description

A section with a high entropy has been found

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 20, 2021, 9:33 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.WioesjeNWF.Trojan
Elastic	malicious (high confidence)
DrWeb	Trojan.Encoder.26667
MicroWorld-eScan	Trojan.AgentWDCR.SVC
FireEye	Generic.mg.996ba35165bb6247
CAT-QuickHeal	Ransom.Stop.S7866402
ALYac	Trojan.Ransom.Stop
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
SUPERAntiSpyware	Trojan.Agent/Gen-Dropper
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00545a541 )
Alibaba	Trojan:Win32/Qhost.9112e630
K7GW	Trojan ( 00545a541 )
Cybereason	malicious.165bb6
BitDefenderTheta	Gen:NN.ZexaF.34688.ru0@aqo3V9lG
Cyren	W32/Kryptik.PT.gen!Eldorado
Symantec	Packed.Generic.525
ESET-NOD32	Win32/Qhost.PPC
APEX	Malicious
Avast	Win32:BotX-gen [Trj]
ClamAV	Win.Packed.Agentwdcr-9819888-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.AgentWDCR.SVC
NANO-Antivirus	Trojan.Win32.Encoder.fmcefj
Paloalto	generic.ml
ViRobot	Trojan.Win32.S.Agent.281088.FA
Tencent	Malware.Win32.Gencirc.10b9bc2a
Ad-Aware	Trojan.AgentWDCR.SVC
Sophos	Mal/Generic-R + Mal/GandCrab-G
Comodo	TrojWare.Win32.Ransom.GandCrypt.AA@82gsko
Zillya	Trojan.Hosts2.Win32.3219
TrendMicro	Trojan.Win32.STOP.AC
McAfee-GW-Edition	BehavesLike.Win32.Trojan.dh
Emsisoft	Trojan.Agent (A)
Jiangmin	Trojan.Generic.dayql
eGambit	Unsafe.AI_Score_99%
Avira	TR/Crypt.Agent.tbytt
MAX	malware (ai score=100)
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Kryptik.vb
Microsoft	Trojan:Win32/Fareit.V!MTB
GData	Win32.Packed.Kryptik.BHC4MD
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Gandcrab10.Exp
McAfee	Generic.bto
TACHYON	Trojan/W32.DNSChanger.281088
VBA32	Trojan.Encoder
Malwarebytes	Trojan.MalPack.GS
Zoner	Trojan.Win32.80301

updatewin2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All