Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 7:26 p.m.	June 24, 2021, 8:13 p.m.

Size	42.2KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`7b7ba402f370903873c0dd6bb8dcfb3a`
SHA256	`cb948541d3ea253dd2921211c05a42414a9cd537bf847b9bdb0008daa01d40ea`
CRC32	`DCF1ABF9`
ssdeep	`384:OulS8EquIf3U0FlbhwInQ/2gGDfTtT62l85uCAStlS6e/cL4af0SYbQ/FMh8ti9E:HM89uIf3UEw3gD8ztlSn/cWRQ3t+E`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

system.exe "C:\Users\test22\AppData\Local\Temp\system.exe"
2220

Name	Response	Post-Analysis Lookup
cdn-0.dns.wanglaoji.xyz

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 7:26 p.m.	stacktrace: 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 0x4c2000 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x4c2000 registers.r14: 0 registers.r15: 0 registers.rcx: 48 registers.rsi: 46 registers.r10: 0 registers.rbx: 1 registers.rsp: 2293280 registers.r11: 514 registers.r8: 2291880 registers.r9: 2291936 registers.rdx: 8796092887632 registers.r12: 1 registers.rbp: 2293328 registers.rdi: 5396400 registers.rax: 4980736 registers.r13: 8	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 24, 2021, 7:26 p.m.

stacktrace:

0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000
0x4c2000

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x4c2000
registers.r14: 0
registers.r15: 0
registers.rcx: 48
registers.rsi: 46
registers.r10: 0
registers.rbx: 1
registers.rsp: 2293280
registers.r11: 514
registers.r8: 2291880
registers.r9: 2291936
registers.rdx: 8796092887632
registers.r12: 1
registers.rbp: 2293328
registers.rdi: 5396400
registers.rax: 4980736
registers.r13: 8

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 24, 2021, 7:26 p.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000004c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Generates some ICMP traffic

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

MicroWorld-eScan	Trojan.GenericKD.37125288
FireEye	Trojan.GenericKD.37125288
ALYac	Trojan.GenericKD.37125288
K7AntiVirus	Trojan ( 0057e4b51 )
Alibaba	Trojan:Win64/Shelma.54aee17a
K7GW	Trojan ( 0057e4b51 )
Cybereason	malicious.154369
Arcabit	Trojan.Generic.D2367CA8
Cyren	W64/Trojan.JBYL-2995
Symantec	Trojan.Gen.MBT
ESET-NOD32	Win64/Agent.AQC
Avast	Win64:Trojan-gen
Kaspersky	Trojan.Win64.Shelma.lkf
BitDefender	Trojan.GenericKD.37125288
Ad-Aware	Trojan.GenericKD.37125288
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.37125288 (B)
APEX	Malicious
Avira	TR/Agent.vzrvm
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Wacatac.B!ml
AegisLab	Trojan.Win64.Shelma.4!c
GData	Trojan.GenericKD.37125288
Cynet	Malicious (score: 99)
McAfee	Artemis!7B7BA402F370
Ikarus	Trojan.Win64.Agent
SentinelOne	Static AI - Suspicious PE
Fortinet	W64/Shelma.LKF!tr
AVG	Win64:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_60% (W)

system.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All