Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	July 15, 2021, 11:35 a.m.	July 15, 2021, 11:38 a.m.

Size	174.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f12aa4983f77ed85b3a618f7656807c2`
SHA256	`5db1d9e50f0e0e0ba0b15920e65a1b9e3b61bcc03d5930870e0b226b600a72e2`
CRC32	`EFFCBE76`
ssdeep	`3072:vuosgt5uZEnV79k7oPmfY44cQM2qGUhm:2orQEnV+oqxQTxU`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description)

NMemo1Setp.exe "C:\Users\Administrator\AppData\Local\Temp\NMemo1Setp.exe"
5200

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 15, 2021, 11:35 a.m.			0	0
IsDebuggerPresent July 15, 2021, 11:35 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 15, 2021, 11:35 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	KJSJVe\x147
section

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x699a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x699a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 77824 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e02000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 15, 2021, 11:35 a.m.	process_identifier: 5200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00012600', u'virtual_address': u'0x00002000', u'entropy': 7.997617494554566, u'name': u'KJSJVe\\x147', u'virtual_size': u'0x0001255c'}

entropy

7.99761749455

description

A section with a high entropy has been found

entropy

0.423631123919

description

Overall entropy of this PE file is high

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen14.6072
MicroWorld-eScan	Trojan.GenericKD.37146058
FireEye	Generic.mg.f12aa4983f77ed85
CAT-QuickHeal	Trojan.MSIL
McAfee	PWS-FCSR!F12AA4983F77
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Trojan.MSIL.GenKryptik.EWGN
K7AntiVirus	Trojan ( 005733031 )
Alibaba	Trojan:MSIL/GenKryptik.e593a834
K7GW	Trojan ( 005733031 )
Cybereason	malicious.21d590
BitDefenderTheta	Gen:NN.ZemsilF.34796.ku0@aO1u9qn
Cyren	W32/Trojan.KFEJ-4454
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.EWGN
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Clipbanker-9875164-0
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
BitDefender	Trojan.GenericKD.37146058
NANO-Antivirus	Trojan.Win32.Crypt.iwxjws
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37146058
Sophos	Mal/Generic-S
Comodo	Malware@#2xosua0q0b3ex
Zillya	Trojan.GenKryptik.Win32.97534
TrendMicro	TROJ_GEN.R06EC0PFR21
McAfee-GW-Edition	BehavesLike.Win32.Generic.cm
Emsisoft	Trojan.Agent (A)
Ikarus	Trojan.Agent
Jiangmin	Trojan/PSW.MSIL.btl
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.vkqli
Antiy-AVL	Trojan/Generic.ASMalwS.334C313
Kingsoft	Win32.Heur.KVMH008.a.(kcloud)
Microsoft	Ransom:Win32/Ergop
Gridinsoft	Trojan.Win32.Agent.ns
ViRobot	Trojan.Win32.Z.Highconfidence.178688.B
GData	Trojan.GenericKD.37146058
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R428560
VBA32	CIL.HeapOverride.Heur
ALYac	Trojan.GenericKD.37146058
MAX	malware (ai score=87)
Malwarebytes	Spyware.PasswordStealer
TrendMicro-HouseCall	TROJ_GEN.R06EC0PFR21
Yandex	Trojan.Crypt!JgXbcCpuZUE
SentinelOne	Static AI - Malicious PE

NMemo1Setp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All