Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 27, 2021, 9:16 a.m.	May 27, 2021, 9:20 a.m.

Size	4.7MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`4c9bb1adf101943c077c224a224ed490`
SHA256	`44815a42eb3317c7e567f8e20388bd9e28cf71096f45f4ee6094f26888dcfb0c`
CRC32	`FD01E8A2`
ssdeep	`98304:xmIzxLU6ER4UQ7pekquI94vc1VSYtVQi+r848:xmaLU6Ei5pNI94vcLftVQiQe`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status
NtAllocateVirtualMemory May 27, 2021, 9:09 a.m.	process_identifier: 8768 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:09 a.m.	process_identifier: 8768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000289c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:09 a.m.	process_identifier: 8768 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 27, 2021, 9:09 a.m.	process_identifier: 8768 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

section

{u'size_of_data': u'0x004b0400', u'virtual_address': u'0x001ab000', u'entropy': 7.772641018759115, u'name': u'UPX1', u'virtual_size': u'0x004b1000'}

entropy

7.77264101876

description

A section with a high entropy has been found

entropy

0.999895865875

description

Overall entropy of this PE file is high

host

172.217.25.14

FireEye	Generic.mg.4c9bb1adf101943c
Cylance	Unsafe
Cybereason	malicious.68a645
ESET-NOD32	a variant of WinGo/GoCLR.A
APEX	Malicious
Kaspersky	VHO:Trojan-Dropper.MSIL.Convagent.gen
F-Secure	Heuristic.HEUR/AGEN.1142802
McAfee-GW-Edition	BehavesLike.Win64.Gravity.rc
Avira	HEUR/AGEN.1142802
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
eGambit	Unsafe.AI_Score_100%
MaxSecure	Trojan.Malware.300983.susgen

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress May 27, 2021, 9:09 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000		-1073741511	0

file23.exe