Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 7:45 p.m.	June 24, 2021, 8:06 p.m.

Size	2.1MB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`0d72c4f5d4b2dac75fc4eae84317b64d`
SHA256	`3554975f4212b9bdae2e57cc3d713ad8e6e43ad02bbe8cc6890eca1fdfb1b0a4`
CRC32	`C6AC7597`
ssdeep	`49152:acvwYuHpVMvyff3CK5j3gwlkJWSe2nWQkbZCjX:Jvw7pVEQv95j3giwWP2nd4`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library

winsys.exe "C:\Users\test22\AppData\Local\Temp\winsys.exe"
112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error Microsoft Edge secret key path is empty console_handle: 0x0000000000000007	1	1
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error Opera secret key path is empty console_handle: 0x0000000000000007	1	1
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error Vivaldi secret key path is empty console_handle: 0x0000000000000007	1	1
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error Chrome Beta secret key path is empty console_handle: 0x0000000000000007	1	1
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error Brave secret key path is empty console_handle: 0x0000000000000007	1	1
WriteConsoleW June 24, 2021, 7:35 p.m.	buffer: cmd.go:68: error OperaGX secret key path is empty console_handle: 0x0000000000000007	1	1

Steals private information from local Internet browsers (45 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF3a15fe.TMP
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00219a00', u'virtual_address': u'0x00444000', u'entropy': 7.914891344630831, u'name': u'UPX1', u'virtual_size': u'0x0021a000'}

entropy

7.91489134463

description

A section with a high entropy has been found

entropy

0.999767549977

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress June 24, 2021, 7:35 p.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000		-1073741511	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36363537
ALYac	Trojan.GenericKD.36363537
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.Win32.Ymacco.AA26
K7AntiVirus	Password-Stealer ( 005735d71 )
Alibaba	TrojanPSW:Win64/BroPass.19137d4e
K7GW	Password-Stealer ( 005735d71 )
Cybereason	malicious.5d4b2d
Cyren	W64/Trojan.RYFH-3123
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of WinGo/PSW.Agent.E
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-PSW.Win64.BroPass.ad
BitDefender	Trojan.GenericKD.36363537
NANO-Antivirus	Trojan.Win64.Mlw.iuhycu
AegisLab	Trojan.Win32.Generic.4!c
Avast	Win64:Trojan-gen
Tencent	Win64.Trojan-qqpass.Qqrob.Hpa
Ad-Aware	Trojan.GenericKD.36363537
Emsisoft	Trojan.GenericKD.36363537 (B)
Zillya	Trojan.Agent.Win64.7442
TrendMicro	TROJ_GEN.R007C0WDK21
McAfee-GW-Edition	BehavesLike.Win64.Trickbot.vc
FireEye	Trojan.GenericKD.36363537
Sophos	Mal/Generic-S
Ikarus	Trojan-PSW.Agent
Webroot	W32.Trojan.Gen
Avira	TR/PSW.Agent.zoohd
Microsoft	Trojan:Win32/Ymacco.AA26
Arcabit	Trojan.Generic.D22ADD11
ZoneAlarm	Trojan-PSW.Win64.BroPass.ad
GData	Trojan.GenericKD.36363537
Cynet	Malicious (score: 100)
McAfee	Artemis!0D72C4F5D4B2
MAX	malware (ai score=89)
VBA32	TrojanPSW.Win64.BroPass
Malwarebytes	Malware.AI.4285609017
TrendMicro-HouseCall	TROJ_GEN.R007C0WDK21
Rising	Stealer.Agent!8.C2 (CLOUD)
Yandex	Trojan.PWS.Agent!ZrfqZPo7xPk
SentinelOne	Static AI - Suspicious PE
Fortinet	W64/Agent.AA!tr.pws
AVG	Win64:Trojan-gen
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

winsys.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All