Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 8, 2021, 10:04 a.m.	Sept. 8, 2021, 10:13 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6d3632abf3c43b6da3bcef47d3343da1`
SHA256	`b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978`
CRC32	`198F6BA6`
ssdeep	`24576:ccCT67wHqWis4l+jIACFr5hqjiLDpSJDN93pqb6W8cU4gLQIA:xCpn8t74iA3qb6W8cU43`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 8, 2021, 10:04 a.m.	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 10:04 a.m.	process_identifier: 200 region_size: 86016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 8, 2021, 10:04 a.m.	process_identifier: 200 region_size: 67108864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 8, 2021, 9:58 a.m.	total_number_of_free_bytes: 10932887552 free_bytes_available: 10932887552 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 8, 2021, 10:04 a.m.	process_identifier: 200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x005d0000 process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x0000b000', u'virtual_address': u'0x0017b000', u'entropy': 7.688907955928621, u'name': u'.rsrc', u'virtual_size': u'0x0000a658'}

entropy

7.68890795593

description

A section with a high entropy has been found

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.VBKrypt.tqRV
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.6d3632abf3c43b6d
ALYac	Trojan.Agent.DXTX
Cylance	Unsafe
Zillya	Trojan.VBKrypt.Win32.302131
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 00502b1a1 )
K7AntiVirus	Trojan ( 00502b1a1 )
Arcabit	Trojan.Agent.DXTX
Cyren	W32/Injector.YKAB-2853
Symantec	W32.Tapin
ESET-NOD32	Win32/AutoRun.Delf.LV
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.VBGeneric-6989114-0
Kaspersky	Trojan.Win32.VBKrypt.xupa
BitDefender	Trojan.Agent.DXTX
NANO-Antivirus	Trojan.Win32.VBKrypt.ewdbrj
SUPERAntiSpyware	Trojan.Agent/Gen-PonyStealer
MicroWorld-eScan	Trojan.Agent.DXTX
Avast	Win32:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10b09472
Ad-Aware	Trojan.Agent.DXTX
Emsisoft	Trojan.Agent (A)
Comodo	TrojWare.Win32.Fareit.RGY@7qlz41
DrWeb	Trojan.Siggen6.55368
TrendMicro	TSPY_HPFAREIT.SME
McAfee-GW-Edition	BehavesLike.Win32.DistTrack.tm
Sophos	ML/PE-A + Mal/FareitVB-I
Ikarus	Worm.Win32.AutoRun
Jiangmin	Trojan.VBKrypt.cgtc
Avira	HEUR/AGEN.1126331
Antiy-AVL	Trojan/Generic.ASMalwS.23994B5
Gridinsoft	Trojan.Win32.Kryptik.ka!n
Microsoft	VirTool:Win32/VBInject.YA!MTB
ViRobot	Trojan.Win32.Agent.1576960.B
ZoneAlarm	Trojan.Win32.VBKrypt.xupa
GData	Trojan.Agent.DXTX
TACHYON	Trojan/W32.VB-VBKrypt.1576960.B
AhnLab-V3	Win-Trojan/VBKrypt.RP.X1764
Acronis	suspicious
McAfee	DistTrack!6D3632ABF3C4
MAX	malware (ai score=82)
VBA32	Trojan.VBKrypt
Malwarebytes	Qbot.Backdoor.Stealer.DDS
Zoner	Trojan.Win32.82457

dohcrypted.exe