Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2021, 8:59 a.m.	May 26, 2021, 9:02 a.m.

Size	405.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b89786dcab1dc0b2c71d410c73a9bf8d`
SHA256	`c41cfbf30ba7bcc2e7d12562b82ab474911f73f12944df0e3c6865f5ae3e2a0f`
CRC32	`4D51F2FB`
ssdeep	`6144:U68VxO9tfae9o0fzdzXPUbzyEIrqKJWOwp51ayTGu2fUcIlCpoiNr0ezlG:UdVxO9wey2dbUvuJwccGuSUY6mRBG`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

richedit.exe "C:\Users\test22\AppData\Local\Temp\richedit.exe"
1108

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2021, 8:59 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 26, 2021, 8:59 a.m.	process_identifier: 1108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 26, 2021, 8:59 a.m.	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d12000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4294967192, next used block 128

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00065610

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006b37c

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0006b390

size

0x000002d0

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

DrWeb	Trojan.DownLoad4.8537
MicroWorld-eScan	Backdoor.Generic.621674
FireEye	Backdoor.Generic.621674
McAfee	Generic PWS.y!dci
Cylance	Unsafe
Sangfor	Riskware.Win32.Agent.ky
Cybereason	malicious.cab1dc
Symantec	Trojan.Gen.2
APEX	Malicious
ClamAV	Win.Trojan.Agent-895210
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Backdoor.Generic.621674
NANO-Antivirus	Trojan.Win32.QQMusic.dgryww
AegisLab	Trojan.Win32.Generic.4!c
Tencent	Win32.Trojan.Psw.Pgwl
Ad-Aware	Backdoor.Generic.621674
Emsisoft	Backdoor.Generic.621674 (B)
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Generic PWS.y!dci
MaxSecure	Trojan.Malware.300983.susgen
MAX	malware (ai score=99)
Antiy-AVL	Trojan/Generic.ASMalwS.85BEB6
Microsoft	Trojan:Win32/Occamy.CC4
GData	Backdoor.Generic.621674
VBA32	Trojan.Download
ALYac	Backdoor.Generic.621674
Rising	Trojan.Bitrep!8.F596 (CLOUD)
Yandex	Trojan.PWS.QQMusic!Cp0N0fXtH4o
Fortinet	PWS_y.DCI!tr
Webroot	W32.Malware.Gen
Panda	Trj/CI.A

richedit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All