Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 6:50 p.m.	June 24, 2021, 6:56 p.m.

Size	49.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e26b7bc94aac86c0faef0ed54aaa4461`
SHA256	`cc095322275f33b13f9ab3c36cd1e54a315c6f6def3991b05922caf6b1146a05`
CRC32	`1A96B8F6`
ssdeep	`768:gpXblTxujWdn9jg6+xcDxXhQ3m2/3VHS7QW6x8deVsqE6PS5Vxdw8n/:gpp06dii9W33vo7Q+jq7a5bdL/`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
2288

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 6:50 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 6:50 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	CODE
section	DATA
section	BSS
section	.aspack
section	.adata

The executable uses a known packer (1 event)

packer

ASPack v2.12 -> Alexey Solodovnikov

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 6:50 p.m.	process_identifier: 2288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (7 events)

name

RT_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0001a15c

size

0x000008a8

name

RT_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0001a15c

size

0x000008a8

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00017750

size

0x00000076

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00017750

size

0x00000076

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00017750

size

0x00000076

name

RT_DIALOG

language

LANG_KOREAN

filetype

empty

sublanguage

SUBLANG_KOREAN

offset

0x00017750

size

0x00000076

name

RT_GROUP_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0001a138

size

0x00000022

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x00007200', u'virtual_address': u'0x00001000', u'entropy': 7.981390066403979, u'name': u'CODE', u'virtual_size': u'0x0000e000'}

entropy

7.9813900664

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000400', u'virtual_address': u'0x0000f000', u'entropy': 7.03888112995485, u'name': u'DATA', u'virtual_size': u'0x00001000'}

entropy

7.03888112995

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000600', u'virtual_address': u'0x00011000', u'entropy': 6.802273252168267, u'name': u'.idata', u'virtual_size': u'0x00001000'}

entropy

6.80227325217

description

A section with a high entropy has been found

entropy

0.729411764706

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Bkav	W32.AIDetect.malware1
Cylance	Unsafe
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
APEX	Malicious
Paloalto	generic.ml
Jiangmin	Trojan/Generic.aqscn
Gridinsoft	Trojan.Win32.Agent.vb!s1
Microsoft	Program:Win32/Wacapew.C!ml
VBA32	Trojan.MulDrop
Malwarebytes	Malware.AI.3356647701
Yandex	Backdoor.Agent!JpE4mAkYxXE
Ikarus	Trojan.Gendal
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_60% (W)

download.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All