Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 10:09
AntonioIssn.exe
09.20 10:09
in.ps1
09.20 10:09
shhds.exe
09.20 10:09
66ec71a8dd7f7_setup33....
09.20 10:09
66ec34ea3a1b3_app34546...
09.20 10:09
vfdshf.exe
09.20 10:09
vejsfs16.exe
09.20 10:09
66ebe621bc80b_ffile.ex...
09.20 10:09
PO-LIST.exe
09.20 10:09
66ec0e61998bf_setup30.exe

Latest News
09.20 10:09
2024-09-18 Earth Baxia...
09.20 10:09
Rockwell Automation Pr...
09.20 10:09
Nix Security Update Ad...
09.20 10:09
Apple iPhone 16 Reache...
09.20 10:09
에그, '에그제트(eggz) 문빔건메탈'...
09.20 10:09
Meituan’s 63% Stock Su...
09.20 09:09
케이케이소프트, '스타트업 창업 성공 노...
09.20 09:09
한성정보기술, 지능형 CCTV 배회·침입...
09.20 09:09
'Marko Polo' hackers f...
09.20 09:09
Only 1/3 of businesses...

Summary | ZeroBOX

87435972.exe

Generic Malware Admin Tool (Sysinternals etc ...) PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 18, 2021, 10:28 a.m.	June 18, 2021, 10:30 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75cb80f790fc91926ba1d90a0bb6e09e`
SHA256	`87483d4bb3c1471ff52b52c8c1be35161f1bbbce07b1b8e321406849a01cdd59`
CRC32	`65A812E6`
ssdeep	`49152:xc8Yi+UV5akG6M8urTAPDB8d9HVXxOgUB1/EEU6hrHn:r9HKOM8urTAPDB8v1AaelHn`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Generic_Malware_Zero - Generic Malware IsPE32 - (no description) themida_packer - themida packer

87435972.exe "C:\Users\test22\AppData\Local\Temp\87435972.exe"
2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 events)

section
section	.imports
section	.themida
section	.boot

One or more processes crashed (3 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 18, 2021, 10:28 a.m.	stacktrace: 87435972+0x2e0b2f @ 0x12e0b2f 87435972+0x2f33d9 @ 0x12f33d9 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 4652184 registers.edi: 17129472 registers.eax: 4652184 registers.ebp: 4652264 registers.edx: 2130566132 registers.ebx: 4587563 registers.esi: 2000778283 registers.ecx: 4080861184	1	0	0
__exception__ June 18, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 e5 b2 13 00 c3 e9 00 a6 12 00 6b 8b 21 00 exception.symbol: 87435972+0x201699 exception.instruction: in eax, dx exception.module: 87435972.exe exception.exception_code: 0xc0000096 exception.offset: 2102937 exception.address: 0x1201699 registers.esp: 4652304 registers.edi: 8204786 registers.eax: 1750617430 registers.ebp: 17129472 registers.edx: 22614 registers.ebx: 16777216 registers.esi: 18206010 registers.ecx: 20	1	0	0
__exception__ June 18, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 da 7d 00 00 c9 8d 64 b8 07 00 00 00 fa 7d exception.symbol: 87435972+0x3189f3 exception.instruction: in eax, dx exception.module: 87435972.exe exception.exception_code: 0xc0000096 exception.offset: 3246579 exception.address: 0x13189f3 registers.esp: 4652304 registers.edi: 8204786 registers.eax: 1447909480 registers.ebp: 17129472 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18206010 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7743f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x773b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0103f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 18, 2021, 10:28 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 69632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01030000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (7 events)

section

{u'size_of_data': u'0x00018be7', u'virtual_address': u'0x00001000', u'entropy': 7.984651161376785, u'name': u' ', u'virtual_size': u'0x0002eb42'}

entropy

7.98465116138

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000070fb', u'virtual_address': u'0x00030000', u'entropy': 7.953872143248874, u'name': u' ', u'virtual_size': u'0x00010ba0'}

entropy

7.95387214325

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000004e7', u'virtual_address': u'0x00041000', u'entropy': 7.814316766728617, u'name': u' ', u'virtual_size': u'0x0000240c'}

entropy

7.81431676673

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000225e', u'virtual_address': u'0x00044000', u'entropy': 7.950588211516624, u'name': u' ', u'virtual_size': u'0x00002a9c'}

entropy

7.95058821152

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000fbc', u'virtual_address': u'0x00047000', u'entropy': 7.89248585310111, u'name': u' ', u'virtual_size': u'0x00006160'}

entropy

7.8924858531

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001fa215', u'virtual_address': u'0x003da000', u'entropy': 7.951153153883702, u'name': u'.boot', u'virtual_size': u'0x001fa400'}

entropy

7.95115315388

description

A section with a high entropy has been found

entropy

0.98858703987

description

Overall entropy of this PE file is high

Checks for the presence of known windows from debuggers and forensic tools (50 out of 159 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 18, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: File Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Process Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:28 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 18, 2021, 10:29 a.m.	class_name: Filemonclass window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Detects VirtualBox through the presence of a registry key (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 18, 2021, 10:28 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 18, 2021, 10:28 a.m.	stacktrace: exception.instruction_r: ed e9 da 7d 00 00 c9 8d 64 b8 07 00 00 00 fa 7d exception.symbol: 87435972+0x3189f3 exception.instruction: in eax, dx exception.module: 87435972.exe exception.exception_code: 0xc0000096 exception.offset: 3246579 exception.address: 0x13189f3 registers.esp: 4652304 registers.edi: 8204786 registers.eax: 1447909480 registers.ebp: 17129472 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18206010 registers.ecx: 10	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Trojan.Heur.TP.jMW@bqOWSVh
CAT-QuickHeal	Trojanpws.Convagent
ALYac	Gen:Trojan.Heur.TP.jMW@bqOWSVh
Cylance	Unsafe
Sangfor	Trojan.Win32.Glupteba.ml
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Packed:Win32/Themida.45b169ea
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.790fc9
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.Themida.HWL
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Trojan.Heur.TP.jMW@bqOWSVh
Avast	Win32:Malware-gen
Ad-Aware	Gen:Trojan.Heur.TP.jMW@bqOWSVh
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.UMal.xykwg@0
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
FireEye	Generic.mg.75cb80f790fc9192
Emsisoft	Gen:Trojan.Heur.TP.jMW@bqOWSVh (B)
Ikarus	Trojan.Win32.Themida
Webroot	W32.Malware.Gen
eGambit	Unsafe.AI_Score_97%
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Trojan:Win32/Glupteba!ml
Gridinsoft	Trojan.Heur!.032100A1
Arcabit	Trojan.Heur.TP.E7F6B7
AegisLab	Trojan.Win32.Convagent.i!c
GData	Gen:Trojan.Heur.TP.jMW@bqOWSVh
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.C4528165
Acronis	suspicious
McAfee	Artemis!75CB80F790FC
MAX	malware (ai score=83)
TrendMicro-HouseCall	TROJ_GEN.R002H09FG21
Rising	Trojan.Generic@ML.96 (RDMK:e6Z6Ig/4pw7FctqoOlg8/g)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
BitDefenderTheta	AI:Packer.838CA3C11E
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_90% (W)