Summary | ZeroBOX

file.exe

Malicious Library OS Processor Check PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 28, 2021, 5:44 p.m. Aug. 28, 2021, 5:50 p.m.
Size 729.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3c112a39d8866d896f68adfa3b78a16a
SHA256 da0422f752076d4897a5616ff4ccde0e1088e3048074a869b8fe4da691eed621
CRC32 7897B23A
ssdeep 12288:aDvBLv2FqZlrfp0gftgk47/jWCsCQPJPo0xnfTSsEUDEPO4I6eil+uQvSwMjcM8N:A5rOuwgftgk2yCsCcnusEUIPO40o3y
PDB Path C:\bunanes\zoxoloc nozalu.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path C:\bunanes\zoxoloc nozalu.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 540672
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 560
region_size: 962560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_ICON language LANG_KYRGYZ filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x0201f188 size 0x00000468
name RT_GROUP_ICON language LANG_KYRGYZ filetype data sublanguage SUBLANG_DEFAULT offset 0x0201f5f0 size 0x0000005a
section {u'size_of_data': u'0x00085400', u'virtual_address': u'0x0002f000', u'entropy': 7.987372936767728, u'name': u'.data', u'virtual_size': u'0x01fece28'} entropy 7.98737293677 description A section with a high entropy has been found
entropy 0.731640356898 description Overall entropy of this PE file is high
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
FireEye Generic.mg.3c112a39d8866d89
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (D)
BitDefenderTheta Gen:NN.ZexaF.34110.TqW@ayOFF8oG
Cyren W32/Kryptik.EYC.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
Rising Malware.Obscure/Heur!1.A89F (CLASSIC)
McAfee-GW-Edition BehavesLike.Win32.Packed.bc
Sophos ML/PE-A
SentinelOne Static AI - Malicious PE
Microsoft Trojan:Win32/Sabsik.FL.A!ml
Cynet Malicious (score: 100)
Acronis suspicious
McAfee Packed-GDT!3C112A39D886
eGambit Unsafe.AI_Score_95%
Fortinet W32/Kryptik.HMFH!tr
MaxSecure Trojan.Malware.300983.susgen