Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2021, 10:06 a.m.	Aug. 30, 2021, 10:07 a.m.

Size	554.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`73db2b58503ec0b2b56c4f9fdff3fe40`
SHA256	`b143f984cc0745b1529e2253761eaff547509e7fa44d20c220d44d176a7952e7`
CRC32	`28BC2B4B`
ssdeep	`12288:5Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1NPcOo+shpo7+:ghloDX0XOf4XPe+sk7+`
Yara	PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Schwerer_IN - Schwerer

Name	Response	Post-Analysis Lookup
a.uguu.se	A 144.76.201.136	144.76.201.136

IP Address	Status	Action
144.76.201.136	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 144.76.201.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49197 -> 144.76.201.136:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 144.76.201.136:443 -> 192.168.56.101:49200	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 30, 2021, 10:06 a.m.			0	0

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 30, 2021, 10:06 a.m.		1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 30, 2021, 10:06 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a62000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 30, 2021, 10:06 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03790000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x00054400', u'virtual_address': u'0x000b9000', u'entropy': 7.9359027984096, u'name': u'UPX1', u'virtual_size': u'0x00055000'}

entropy

7.93590279841

description

A section with a high entropy has been found

entropy

0.608852755194

description

Overall entropy of this PE file is high

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Lionic	Trojan.Win32.Zenlod.a!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.46876380
ALYac	Trojan.GenericKD.46876380
Malwarebytes	Trojan.MalPack.ai
Sangfor	Trojan.Win32.Zenlod.lcz
CrowdStrike	win/malicious_confidence_60% (W)
Alibaba	TrojanDownloader:Win32/Zenlod.23fc2978
K7GW	Trojan-Downloader ( 005817c31 )
K7AntiVirus	Trojan-Downloader ( 005817c31 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/TrojanDownloader.Autoit.PEK
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Zenlod.lcz
BitDefender	Trojan.GenericKD.46876380
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan.Heur.Aish
Ad-Aware	Trojan.GenericKD.46876380
Emsisoft	Trojan.GenericKD.46876380 (B)
Comodo	Malware@#1mjovkkxsi8gn
F-Secure	Trojan.TR/Dldr.Autoit.kiixf
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.hc
FireEye	Trojan.GenericKD.46876380
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.Win32.AutoIt
GData	Trojan.GenericKD.46876380
Avira	TR/Dldr.Autoit.kiixf
Kingsoft	Win32.TrojDownloader.Zenlod.l.(kcloud)
Gridinsoft	Trojan.Win32.Downloader.oa
Arcabit	Trojan.Generic.D2CB46DC
ZoneAlarm	Trojan-Downloader.Win32.Zenlod.lcz
Microsoft	Trojan:Win32/AutoitInject.MRR!MTB
Cynet	Malicious (score: 100)
McAfee	Artemis!73DB2B58503E
MAX	malware (ai score=100)
Cylance	Unsafe
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Autoit.PEK!tr
AVG	Win32:Trojan-gen
Panda	Trj/CI.A

vbc.exe