Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 10:23 a.m.	July 30, 2021, 10:27 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0f9f7906389dee17c4606dd2cad2d214`
SHA256	`97e08f5f3864085eec56de1fc9663eb42761be09df31592034760a3a243ced28`
CRC32	`464742C7`
ssdeep	`24576:oL7Kps0PJFtwxJp4u3r/KXfrxE7ZWR2Rp3FoiBqNZsH:2eRwZV7/KO7YXi`
PDB Path	C:\supevikawi.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

ksvchost.exe "C:\Users\test22\AppData\Local\Temp\ksvchost.exe"
2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\supevikawi.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 30, 2021, 10:23 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 962560 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03550000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 30, 2021, 10:23 a.m.	process_identifier: 2972 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (2 events)

name

RT_ICON

language

LANG_PORTUGUESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_PORTUGUESE

offset

0x02f0f340

size

0x000025a8

name

RT_GROUP_ICON

language

LANG_PORTUGUESE

filetype

data

sublanguage

SUBLANG_PORTUGUESE

offset

0x02f118e8

size

0x00000014

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ebe00', u'virtual_address': u'0x0002b000', u'entropy': 7.996028549794074, u'name': u'.data', u'virtual_size': u'0x02ee2908'}

entropy

7.99602854979

description

A section with a high entropy has been found

entropy

0.779108175062

description

Overall entropy of this PE file is high

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.97701f
BitDefenderTheta	Gen:NN.ZexaF.34050.lzW@aGTQzWlG
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMetagen [Malware]
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.tc
FireEye	Generic.mg.0f9f7906389dee17
APEX	Malicious
eGambit	Unsafe.AI_Score_91%
Microsoft	Trojan:Win32/Azorult.RT!MTB
Cynet	Malicious (score: 100)
Acronis	suspicious
McAfee	Artemis!0F9F7906389D
Ikarus	Trojan.Win32.Crypt
Rising	Trojan.Kryptik!1.C6FC (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.FIDC!tr
AVG	FileRepMetagen [Malware]
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	HEUR/QVM10.1.EAFB.Malware.Gen

ksvchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All