Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 13, 2021, 10:13 a.m.	July 13, 2021, 10:16 a.m.

Size	86.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`a905e8ec7c21e72ecec790fab54a114a`
SHA256	`b43d29ddd83f6ff9f8002718999d77247fe48d6c4709d3a8b1890d14550ef917`
CRC32	`45F4E16B`
ssdeep	`1536:h0tykrLFscBCtJNlDD6Vtj5qKb8HOpwlSyzCP+azl9lzDbFS5jIfcn0ELuygMzU:h0tXfKcBeJTwtgKbg/zCPJlzbc5xdgMQ`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature

backdoor.exe "C:\Users\test22\AppData\Local\Temp\backdoor.exe"
2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
1.117.165.236	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 13, 2021, 10:13 a.m.		1	1	0

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0005205c

size

0x00000240

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00014a00', u'virtual_address': u'0x0003d000', u'entropy': 7.913084492047098, u'name': u'UPX1', u'virtual_size': u'0x00015000'}

entropy

7.91308449205

description

A section with a high entropy has been found

entropy

0.982142857143

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

1.117.165.236

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
FireEye	Generic.mg.a905e8ec7c21e72e
CAT-QuickHeal	Risktool.Flystudio.17515
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/BlackMoon.c8156b36
Cybereason	malicious.674b0e
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Tiny.NQG
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Dropper.Tiggre-9845940-0
Kaspersky	UDS:Trojan-Downloader.Win32.Agentb.a
Avast	Win32:Trojan-gen
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	Artemis!Trojan
Ikarus	AdWare.Win32.BlackMoon
GData	Win32.Application.PUPStudio.A
Avira	HEUR/AGEN.1140931
eGambit	Unsafe.AI_Score_99%
Kingsoft	Win32.Heur.KVM099.a.(kcloud)
Microsoft	Trojan:Win32/Caynamer.A!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!A905E8EC7C21
VBA32	BScope.Trojan.Wacatac
Malwarebytes	PUP.Optional.ChinAd
SentinelOne	Static AI - Malicious PE
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.ESFJ!tr
BitDefenderTheta	Gen:NN.ZexaF.34790.fmLfaKFYKOeb
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_70% (W)

backdoor.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All