popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

proxy-IRXC-setup.exe

PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 4, 2021, 6:15 p.m. July 4, 2021, 6:21 p.m.
Size 4.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 757cf5b6eced6132860dd0f2df643d7f
SHA256 c63898e15dce4c7a917e1b2fe13e4590babb5224d700e94d9fa17fc5727484bf
CRC32 FA9CFCA9
ssdeep 98304:Ez81pTgjH1QXkfW3LAlYvE78tqeeniZxB:Ez+pTgjH1CkfW3sMqeeniv
PDB Path C:\nafuzuvani\volirej.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.215.113.81:28578 -> 192.168.56.102:49808 2400025 ET DROP Spamhaus DROP Listed Traffic Inbound group 26 Misc Attack

Suricata TLS

No Suricata TLS

pdb_path C:\nafuzuvani\volirej.pdb
resource name AFX_DIALOG_LAYOUT
resource name DAXEGAJOBAREHOKEZOPUKE
resource name NEVOM
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4440064
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c90000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7768
region_size: 9592832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x030d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name DAXEGAJOBAREHOKEZOPUKE language LANG_SERBIAN filetype ASCII text, with very long lines, with no line terminators sublanguage SUBLANG_DEFAULT offset 0x006069f0 size 0x00000685
name NEVOM language LANG_SERBIAN filetype ASCII text, with very long lines, with no line terminators sublanguage SUBLANG_DEFAULT offset 0x00607078 size 0x000008bd
name RT_ICON language LANG_SERBIAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x00606548 size 0x00000468
name RT_ICON language LANG_SERBIAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x00606548 size 0x00000468
name RT_ICON language LANG_SERBIAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x00606548 size 0x00000468
name RT_ICON language LANG_SERBIAN filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x00606548 size 0x00000468
name RT_STRING language LANG_SERBIAN filetype data sublanguage SUBLANG_DEFAULT offset 0x00607b68 size 0x00000240
name RT_ACCELERATOR language LANG_SERBIAN filetype data sublanguage SUBLANG_DEFAULT offset 0x00607960 size 0x00000010
name RT_ACCELERATOR language LANG_SERBIAN filetype data sublanguage SUBLANG_DEFAULT offset 0x00607960 size 0x00000010
name RT_GROUP_ICON language LANG_SERBIAN filetype data sublanguage SUBLANG_DEFAULT offset 0x006069b0 size 0x0000003e
section {u'size_of_data': u'0x0044b800', u'virtual_address': u'0x00001000', u'entropy': 7.99894241189313, u'name': u'.text', u'virtual_size': u'0x0044b766'} entropy 7.99894241189 description A section with a high entropy has been found
entropy 0.978855998219 description Overall entropy of this PE file is high
host 172.217.25.14
Elastic malicious (high confidence)
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cybereason malicious.30c1d4
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast FileRepMalware
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition BehavesLike.Win32.Lockbit.rc
FireEye Generic.mg.757cf5b6eced6132
SentinelOne Static AI - Malicious PE
Avira TR/Crypt.ZPACK.Gen
Microsoft Trojan:Win32/Wacatac.B!ml
VBA32 Malware-Cryptor.InstallCore.6
Malwarebytes Trojan.MalPack.GS
Rising Trojan.Generic@ML.86 (RDML:Kfu2qUtd+anqAUsFD6elqg)
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/GenKryptik.ERHN!tr
AVG FileRepMalware
CrowdStrike win/malicious_confidence_80% (D)