Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 30, 2021, 10:23 a.m.	July 30, 2021, 10:36 a.m.

Size	688.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`042edfa930d712dd70b6adee1218d3d9`
SHA256	`2b077c09e3e5b9035d53cf73f0afc4455463dcb2289816f15f50f68f6b5f5df7`
CRC32	`79BF551A`
ssdeep	`12288:dnIjvmmWAk6xHgupN9e5pOELFfan1wpbbCdkpzoOlLXwKaBt+8pvRUZem3c:SvDW4zA3VJKKfzrlLkBzpJ4X`
PDB Path	C:\sahubowad.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2216

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\sahubowad.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 425984 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0336c000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory July 30, 2021, 10:24 a.m.	process_identifier: 2216 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (2 events)

name

RT_ICON

language

LANG_PORTUGUESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_PORTUGUESE

offset

0x02e8c340

size

0x000025a8

name

RT_GROUP_ICON

language

LANG_PORTUGUESE

filetype

data

sublanguage

SUBLANG_PORTUGUESE

offset

0x02e8e8e8

size

0x00000014

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00068600', u'virtual_address': u'0x0002c000', u'entropy': 7.9825221782441185, u'name': u'.data', u'virtual_size': u'0x02e5ff68'}

entropy

7.98252217824

description

A section with a high entropy has been found

entropy

0.607714701601

description

Overall entropy of this PE file is high

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Racealer.i!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.042edfa930d712dd
McAfee	Artemis!042EDFA930D7
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.24477c
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:Trojan-Spy.Win32.Stealer.gen
McAfee-GW-Edition	BehavesLike.Win32.Downloader.jc
Sophos	ML/PE-A
Ikarus	Trojan.Win32.Crypt
Microsoft	Trojan:Win32/Azorult.RT!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Cynet	Malicious (score: 100)
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34050.RuW@aOCPAwkG
Malwarebytes	Trojan.MalPack.GS
Rising	Trojan.Kryptik!1.C6FC (CLASSIC)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_96%
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_100% (D)
Qihoo-360	HEUR/QVM10.1.EA47.Malware.Gen

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All