Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2021, 1:51 p.m.	July 1, 2021, 1:53 p.m.

Size	362.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`be23958ce4cb7c999dddca276120d276`
SHA256	`7084f1ae45733b1311a449d2a33202b5ca93363755fc6a746b37ed934b8fa9c9`
CRC32	`5627B245`
ssdeep	`3072:QnZGBiNW5OCcUlRE1BnSyjKGTTMowq0yTD9rk55syRSAvxQVEDvzFbX:QgBi0calS7KGTT8hK9rSsBAbvB`
PDB Path	C:\forixanezi9\rohoyiwuduyupe\fahulo.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature

file2.exe "C:\Users\test22\AppData\Local\Temp\file2.exe"
2616

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\forixanezi9\rohoyiwuduyupe\fahulo.pdb

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	AFX_DIALOG_LAYOUT
resource name	DAXEGAJOBAREHOKEZOPUKE
resource name	GAHELOCESUFEGUC
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 1, 2021, 1:51 p.m.	process_identifier: 2616 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 1, 2021, 1:51 p.m.	process_identifier: 2616 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (19 events)

name

DAXEGAJOBAREHOKEZOPUKE

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb5b8

size

0x00000685

name

GAHELOCESUFEGUC

language

LANG_SERBIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x03fdbc40

size

0x00000322

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb0d8

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x03fdeaf0

size

0x0000014c

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x03fdeaf0

size

0x0000014c

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x03fdbf68

size

0x00000008

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb540

size

0x00000076

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x03fdb540

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00031e00', u'virtual_address': u'0x00001000', u'entropy': 7.75947099236568, u'name': u'.text', u'virtual_size': u'0x00031c2f'}

entropy

7.75947099237

description

A section with a high entropy has been found

entropy

0.551867219917

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
FireEye	Generic.mg.be23958ce4cb7c99
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056689f1 )
Alibaba	Ransom:Win32/GandCrab.a0e44334
K7GW	Trojan ( 0056689f1 )
Cybereason	malicious.59f733
Symantec	Packed.Generic.525
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Trojan.fm
Sophos	ML/PE-A
Microsoft	Trojan:Win32/Azorult!ml
AegisLab	Hacktool.Win32.Shellcode.3!c
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!BE23958CE4CB
VBA32	Malware-Cryptor.InstallCore.6
Rising	Trojan.Generic@ML.90 (RDML:Hu1vla9jAkdvhrZxOICDag)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Kryptik.HLOG!tr
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	HEUR/QVM10.1.47DB.Malware.Gen

file2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All