Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2021, 9:26 a.m.	Aug. 9, 2021, 9:45 a.m.

Size	555.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b9d0201d96bf236e37d58605857b6879`
SHA256	`a916a084fce6071fb264808dccdf11e97ab1eb67b804634e2d98411aef86dcad`
CRC32	`0055C0F7`
ssdeep	`12288:3DWzZctGgmU79XFj/Zr1oF9UhkSYOpxHB7ZkyfRmQKys1RIY:aWUgmIRBx7xHB7ZRf2ysIY`
PDB Path	C:\cufelu\de.pdb
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\cufelu\de.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 425984 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0027c000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 9, 2021, 9:26 a.m.	process_identifier: 2648 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (25 events)

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_ICON

language

LANG_SERBIAN

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x028c07d8

size

0x00000468

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028c1200

size

0x0000014a

name

RT_STRING

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028c1200

size

0x0000014a

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028c0cf0

size

0x00000028

name

RT_ACCELERATOR

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028c0cf0

size

0x00000028

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028b6da0

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028b6da0

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_SERBIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x028b6da0

size

0x0000005a

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00071e00', u'virtual_address': u'0x00001000', u'entropy': 7.971441631358259, u'name': u'.text', u'virtual_size': u'0x00071d01'}

entropy

7.97144163136

description

A section with a high entropy has been found

entropy

0.821460775473

description

Overall entropy of this PE file is high

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Multi.Generic.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!B9D0201D96BF
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Kryptik.c2c6268e
K7GW	Trojan ( 005690671 )
K7AntiVirus	Trojan ( 005690671 )
Symantec	Packed.Generic.525
ESET-NOD32	a variant of Win32/Kryptik.HLZM
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	Win32:MalwareX-gen [Trj]
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Emotet.hc
FireEye	Generic.mg.b9d0201d96bf236e
Emsisoft	Trojan.Crypt (A)
Ikarus	Trojan-Banker.UrSnif
GData	Win32.Trojan-Spy.CryptBot.QZAZ86
Microsoft	Trojan:Win32/Caynamer.A!ml
Cynet	Malicious (score: 100)
Acronis	suspicious
Malwarebytes	Trojan.MalPack.GS
Rising	Trojan.Kryptik!1.D82C (CLASSIC)
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HLZM!tr
BitDefenderTheta	Gen:NN.ZexaF.34058.Iq0@amPg5FfG
AVG	Win32:MalwareX-gen [Trj]
Panda	Trj/Genetic.gen
Qihoo-360	Win32/Heur.Generic.HwoCFhsA

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All