Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 22, 2021, 5:46 p.m.	July 22, 2021, 5:57 p.m.

Size	457.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`47f0522a0cfd75f08b67728220bf438f`
SHA256	`5f961bb251b5cced26c85957ba0c0b2f74a1f7c0a1edd2095c5b8c4bfb344b44`
CRC32	`AE9C1F5B`
ssdeep	`12288:ym3ZPTt9YX2E9cymK7NN6Q4k3cRneuyYoE:ym3ZnYX2/ymK7ck3c1y6`
PDB Path	C:\zibefayato.pdb
Yara	IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library RedLine_Stealer_Zero - RedLine stealer PE_Header_Zero - PE File Signature

ZdBx0XiuWwcXr.exe "C:\Users\test22\AppData\Local\Temp\ZdBx0XiuWwcXr.exe"
1692

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\zibefayato.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 22, 2021, 5:46 p.m.	process_identifier: 1692 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 331776 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fbc000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 22, 2021, 5:46 p.m.	process_identifier: 1692 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (26 events)

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x027b2b30

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b54d8

size

0x000004aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b54d8

size

0x000004aa

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b54d8

size

0x000004aa

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b3030

size

0x00000010

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b3030

size

0x00000010

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b2f98

size

0x00000068

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b2f98

size

0x00000068

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x027b2f98

size

0x00000068

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005b000', u'virtual_address': u'0x00001000', u'entropy': 7.961116471870224, u'name': u'.text', u'virtual_size': u'0x0005aff0'}

entropy

7.96111647187

description

A section with a high entropy has been found

entropy

0.797371303395

description

Overall entropy of this PE file is high

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
McAfee	Trojan-FTUB!47F0522A0CFD
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005690671 )
K7GW	Trojan ( 005690671 )
CrowdStrike	win/malicious_confidence_90% (W)
Cyren	W32/Kryptik.EMQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Kaspersky	UDS:Exploit.Win32.Shellcode.gen
Avast	FileRepMalware
Emsisoft	Trojan.Crypt (A)
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.gc
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.47f0522a0cfd75f0
Sophos	ML/PE-A + Troj/Krypt-K
APEX	Malicious
Gridinsoft	Trojan.Win32.Packed.lu!heur
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Azorult!ml
Acronis	suspicious
VBA32	BScope.Trojan.Sabsik.FL
Malwarebytes	MachineLearning/Anomalous.95%
Rising	Trojan.Generic@ML.90 (RDML:jxrCgX8ZYPN8ZeNFkmimuw)
Ikarus	Trojan-Spy.MSIL.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.ERHN!tr
AVG	FileRepMalware
Cybereason	malicious.c477c8
Qihoo-360	HEUR/QVM10.1.BEAF.Malware.Gen

ZdBx0XiuWwcXr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All