Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 3:16 p.m.	June 25, 2021, 3:18 p.m.

Size	7.5MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`6463f298a5906133c8bf1b375ad3d5be`
SHA256	`fafd3207bf267790beea5a8b0c1f0af421933e20938f6b644459704c5cd3dbf7`
CRC32	`0F3ACE85`
ssdeep	`196608:ss5dOrrONRuMMrkNwEs1sPY8ue5D6jBk6:sqdaONw9/10JD69`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature

loader_v.exe "C:\Users\test22\AppData\Local\Temp\loader_v.exe"
2208

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 3:09 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	_RDATA
section	.vdata0
section	.vdata1

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 25, 2021, 3:09 p.m.	stacktrace: exception.instruction_r: 90 68 c3 1c a7 73 e8 3b 4d 00 00 68 ea 8f 69 7e exception.instruction: nop exception.module: loader_v.exe exception.exception_code: 0x80000004 exception.offset: 13529838 exception.address: 0x1405d72ee registers.r14: 0 registers.r15: 0 registers.rcx: 3735929054 registers.rsi: 0 registers.r10: 3379142502 registers.rbx: 0 registers.rsp: 1964208 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 10114 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1005919175 registers.r13: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0077f200', u'virtual_address': u'0x006b0000', u'entropy': 7.947546417598107, u'name': u'.vdata1', u'virtual_size': u'0x0077f038'}

entropy

7.9475464176

description

A section with a high entropy has been found

entropy

0.999869749267

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

MicroWorld-eScan	Trojan.GenericKD.46516356
FireEye	Generic.mg.6463f298a5906133
CAT-QuickHeal	Trojanspy.Bobik
McAfee	Artemis!6463F298A590
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Application/Generic.d495377c
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	Trojan.Gen.MBT
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan-Spy.Win32.Bobik.hbq
BitDefender	Trojan.GenericKD.46516356
Paloalto	generic.ml
AegisLab	Trojan.Win32.Bobik.l!c
Ad-Aware	Trojan.GenericKD.46516356
McAfee-GW-Edition	BehavesLike.Win64.Generic.wc
Emsisoft	Trojan.GenericKD.46516356 (B)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
MAX	malware (ai score=89)
Microsoft	Program:Win32/Wacapew.C!ml
Gridinsoft	Trojan.Heur!.02296023
Arcabit	Trojan.Generic.D2C5C884
GData	Trojan.GenericKD.46516356
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.46516356
Fortinet	PossibleThreat.PALLAS.H
AVG	Win64:Malware-gen
Panda	Trj/CI.A

loader_v.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All