Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 24, 2021, 7:29 p.m.	June 24, 2021, 8:30 p.m.

Size	1.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e15787ea22a793ff3c4d414c18234fec`
SHA256	`e2d41e6fae54525411887f8bad539d96f36a7668304bd60011bd1b9532bc325e`
CRC32	`AC9CDBEB`
ssdeep	`24576:GqZaXhzKHU2yQcD8+9Wu7I39dZymxNvUt8FPV18t4Bm7xc2EBKfQOemYe:Gq8oU2WDMT39dgcNv/F918+BIxc2IKfS`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

partsoffer.exe "C:\Users\test22\AppData\Local\Temp\partsoffer.exe"
3972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2021, 7:29 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	CODE
section	DATA
section	BSS
section	.aspack
section	.adata

The executable uses a known packer (1 event)

packer

ASPack v2.12 -> Alexey Solodovnikov

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 7:29 p.m.	stacktrace: partsoffer+0xc629e @ 0x4c629e partsoffer+0xc8a54 @ 0x4c8a54 partsoffer+0xc84be @ 0x4c84be partsoffer+0x1fda04 @ 0x5fda04 partsoffer+0x35c401 @ 0x75c401 partsoffer+0x8ff63 @ 0x48ff63 partsoffer+0x8fbca @ 0x48fbca partsoffer+0x975ac @ 0x4975ac partsoffer+0x3603be @ 0x7603be BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636772 registers.edi: 7715908 registers.eax: 1636772 registers.ebp: 1636852 registers.edx: 0 registers.ebx: 8456 registers.esi: 36839624 registers.ecx: 7	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 24, 2021, 7:29 p.m.	process_identifier: 3972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 24, 2021, 7:29 p.m.	process_identifier: 3972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (2 events)

name

RT_ICON

language

LANG_KOREAN

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_KOREAN

offset

0x004f87cc

size

0x00010828

name

RT_GROUP_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x004f87b8

size

0x00000014

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00107400', u'virtual_address': u'0x00001000', u'entropy': 7.9997649240178434, u'name': u'CODE', u'virtual_size': u'0x00360000'}

entropy

7.99976492402

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002400', u'virtual_address': u'0x00361000', u'entropy': 7.846572829406638, u'name': u'DATA', u'virtual_size': u'0x00006000'}

entropy

7.84657282941

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x00369000', u'entropy': 7.835266058429392, u'name': u'.idata', u'virtual_size': u'0x00004000'}

entropy

7.83526605843

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00032400', u'virtual_address': u'0x003a5000', u'entropy': 7.851095973449192, u'name': u'.rsrc', u'virtual_size': u'0x00152000'}

entropy

7.85109597345

description

A section with a high entropy has been found

entropy

0.945915703096

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

MicroWorld-eScan	Trojan.GenericKD.37141407
FireEye	Trojan.GenericKD.37141407
McAfee	Artemis!E15787EA22A7
Sangfor	Suspicious.Win32.Artemis.E15787EA22A7
Avast	Win32:Malware-gen
BitDefender	Trojan.GenericKD.37141407
Ad-Aware	Trojan.GenericKD.37141407
Emsisoft	Trojan.GenericKD.37141407 (B)
Zillya	Trojan.Generic.Win32.1403548
McAfee-GW-Edition	Artemis!Trojan
Jiangmin	Trojan.Generic.gwuym
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Generic.ASMalwS.3381206
Gridinsoft	Trojan.Win32.AI.oa
GData	Trojan.GenericKD.37141407
VBA32	TScope.Trojan.Delf
Malwarebytes	Malware.AI.1655360805
Yandex	Trojan.GenAsa!O5kSGRR64q8
eGambit	Unsafe.AI_Score_99%
AVG	Win32:Malware-gen

partsoffer.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All