Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 9:34 a.m.	June 25, 2021, 9:51 a.m.

Size	3.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6fbc0679860048dd6641e4230e0d4656`
SHA256	`0ed0c776fd482bbce2989268f0ea7e54c94a56c843a261a9241e1d761224ba17`
CRC32	`21CC671F`
ssdeep	`98304:yZKBppPzUOMTmTNaLhehqeR7Nr1HB/KJNNNbEl:yZKB3PemXZHB/KvEl`
PDB Path	D:\zuhaowan\zhw\projects\ElcProject\p2pdown_fenxiao\Release\fenxiao_online.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

Zeus_online_21060801.exe "C:\Users\test22\AppData\Local\Temp\Zeus_online_21060801.exe"
4244

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.4.183.54	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 9:34 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

D:\zuhaowan\zhw\projects\ElcProject\p2pdown_fenxiao\Release\fenxiao_online.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 25, 2021, 9:34 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIPRES

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 25, 2021, 9:34 a.m.	process_identifier: 4244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (19 events)

name

ZIPRES

language

LANG_CHINESE

filetype

Zip archive data, at least v2.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a3f8

size

0x00030c72

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002e81f8

size

0x00042028

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a280

size

0x00000050

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a2e0

size

0x00000114

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035b070

size

0x0000003c

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a2d0

size

0x00000010

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a220

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0032a220

size

0x0000005a

Communicates with host for which no DNS query was performed (2 events)

host	121.4.183.54
host	172.217.25.14

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

MicroWorld-eScan	Gen:Variant.Johnnie.350288
McAfee	Artemis!6FBC06798600
Cylance	Unsafe
Sangfor	Riskware.Win32.Wacapew.C
Cybereason	malicious.986004
Arcabit	Trojan.Johnnie.D55850
Cyren	W32/Trojan.OJGB-4920
Symantec	ML.Attribute.HighConfidence
Avast	Win32:Malware-gen
BitDefender	Gen:Variant.Johnnie.350288
Paloalto	generic.ml
Ad-Aware	Gen:Variant.Johnnie.350288
Emsisoft	Gen:Variant.Johnnie.350288 (B)
Comodo	TrojWare.Win32.Agent.yaoyw@0
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.Dropper.wh
FireEye	Gen:Variant.Johnnie.350288
Webroot	W32.Malware.Gen
MAX	malware (ai score=87)
Microsoft	Program:Win32/Wacapew.C!ml
AegisLab	Trojan.Win32.Johnnie.4!c
GData	Gen:Variant.Johnnie.350288
ALYac	Gen:Variant.Johnnie.350288
Malwarebytes	Trojan.MalPack
TrendMicro-HouseCall	TROJ_GEN.R002H09FJ21
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34758.AxX@amuh9Mkj
AVG	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_60% (W)

Zeus_online_21060801.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All