popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

clr.exe

NPKI Generic Malware UPX Malicious Library Malicious Packer PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 7, 2021, 11:54 a.m. Sept. 7, 2021, 11:56 a.m.
Size 5.9MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 be8b9976bbf090bc23facc50a90273d6
SHA256 3f4af8c0a06563d9f4d959d5065c02b83140c0fea19924dbd39984087ace54f8
CRC32 2CA85DBC
ssdeep 49152:dHeOrbrb/TkvO90dL3BmAFd4A64nsfJZgP5MoFom9UwLS3pcOxF7Vooi6gwciPiy:dHJBgSmAQQQQQQQQQQQQQ
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • NPKI_Zero - File included NPKI

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.192.141.1 Active Moloch
104.21.65.45 Active Moloch
172.67.186.79 Active Moloch
3.232.36.43 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000286c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000028760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000287e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1052
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000288c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
host 104.192.141.1
host 104.21.65.45
host 172.67.186.79
host 3.232.36.43
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007feff1a7a50
function_name: wine_get_version
module: ntdll
module_address: 0x0000000077900000
-1073741511 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46931596
FireEye Trojan.GenericKD.46931596
ESET-NOD32 a variant of WinGo/GoCLR.B
ClamAV Win.Malware.Bulz-9847817-0
Kaspersky Trojan-Dropper.Win32.Agent.tetrmn
BitDefender Trojan.GenericKD.46931596
Avast Win64:Trojan-gen
Ad-Aware Trojan.GenericKD.46931596
DrWeb PowerShell.Inject.56
McAfee-GW-Edition BehavesLike.Win64.Drixed.th
Emsisoft Trojan.GenericKD.46931596 (B)
APEX Malicious
Jiangmin Trojan.Generic.gzxxe
Avira TR/Redcap.ezysi
MAX malware (ai score=83)
Microsoft Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm Trojan-Dropper.Win32.Agent.tetrmn
GData Trojan.GenericKD.46931596
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Agent.C4588779
McAfee Artemis!BE8B9976BBF0
Malwarebytes Malware.AI.4021206680
Ikarus Trojan.WinGo.Goclr
Rising HackTool.GoCLR!1.D71D (CLASSIC)
SentinelOne Static AI - Suspicious PE
AVG Win64:Trojan-gen
CrowdStrike win/malicious_confidence_80% (D)