Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.17 07:11
IT Sicherheitsnews stü...
11.17 06:11
World’s First Virtual ...
11.17 06:11
IT Sicherheitsnews stü...
11.17 06:11
KI und Coding: Wie Kün...
11.17 06:11
Bye-bye, Windows 10: E...
11.17 03:11
[일본 애니메이션]世界最高の暗殺者、異世界...
11.17 03:11
Playing Chess Against ...
11.17 03:11
IT Sicherheitsnews tae...
11.17 03:11
IT Sicherheitsnews tae...
11.17 01:11
IT Sicherheitsnews tae...

Summary | ZeroBOX

InterviewScheduler.exe

Generic Malware Malicious Library UPX Malicious Packer PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 10, 2021, 9:12 a.m.	Sept. 10, 2021, 9:14 a.m.

Size	5.4MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`ee8c3bbddd0f11aed64ca4d3ae167da8`
SHA256	`f252243ed9e0e86aaf137f82cc23c917f46281a351ea24e1aaaf707a3d9bf044`
CRC32	`5561FA6A`
ssdeep	`98304:vIdNFT0Yzjn1rguP3a/as75drcskdGfJS50Y1Qa:veNFT08n1G/9ATWa`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library

InterviewScheduler.exe "C:\Users\test22\AppData\Local\Temp\InterviewScheduler.exe"
2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 10, 2021, 9:12 a.m.	stacktrace: exception.instruction_r: 66 83 38 00 66 0f 1f 44 00 00 0f 84 95 00 00 00 exception.symbol: interviewscheduler+0xc92d6 exception.instruction: cmp word ptr [rax], 0 exception.module: InterviewScheduler.exe exception.exception_code: 0xc0000005 exception.offset: 824022 exception.address: 0x4c92d6 registers.r14: 15 registers.r15: 170 registers.rcx: 824633868288 registers.rsi: 824634737312 registers.r10: 24 registers.rbx: 824634777872 registers.rsp: 824634530992 registers.r11: 824634777872 registers.r8: 824634442448 registers.r9: 1 registers.rdx: 0 registers.r12: 26 registers.rbp: 824634531064 registers.rdi: 824634777960 registers.rax: 30962615731618105 registers.r13: 6	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (9 events)

section

{u'size_of_data': u'0x002d9800', u'virtual_address': u'0x001a1000', u'entropy': 7.965791776791691, u'name': u'.data', u'virtual_size': u'0x0030fb48'}

entropy

7.96579177679

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00022200', u'virtual_address': u'0x004b2000', u'entropy': 7.995619499927318, u'name': u'/19', u'virtual_size': u'0x000220dc'}

entropy

7.99561949993

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00007800', u'virtual_address': u'0x004d5000', u'entropy': 7.910444395155159, u'name': u'/32', u'virtual_size': u'0x00007669'}

entropy

7.91044439516

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00003000', u'virtual_address': u'0x004dd000', u'entropy': 7.950640434585726, u'name': u'/46', u'virtual_size': u'0x00002f7e'}

entropy

7.95064043459

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004200', u'virtual_address': u'0x004e0000', u'entropy': 7.977230707708695, u'name': u'/63', u'virtual_size': u'0x000041a0'}

entropy

7.97723070771

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00055800', u'virtual_address': u'0x004e6000', u'entropy': 7.9975291067348815, u'name': u'/99', u'virtual_size': u'0x00055732'}

entropy

7.99752910673

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001cc00', u'virtual_address': u'0x0053c000', u'entropy': 7.99245220688176, u'name': u'/112', u'virtual_size': u'0x0001cb4b'}

entropy

7.99245220688

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00559000', u'entropy': 7.802051411995798, u'name': u'/124', u'virtual_size': u'0x0000ab23'}

entropy

7.802051412

description

A section with a high entropy has been found

entropy

0.65876561218

description

Overall entropy of this PE file is high

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Malwarebytes	Malware.AI.2184627151
APEX	Malicious
Kaspersky	UDS:Backdoor.Win32.Cobalt
Avast	Win32:Agent-BCVC [Trj]
McAfee-GW-Edition	BehavesLike.Win64.VirRansom.tc
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Shelma.geq
Microsoft	VirTool:Win32/Wovdnut.gen!B
McAfee	Artemis!EE8C3BBDDD0F
AVG	Win32:Agent-BCVC [Trj]

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Sept. 10, 2021, 9:12 a.m.	ordinal: 0 function_address: 0x000007feff017a50 function_name: wine_get_version module: ntdll module_address: 0x00000000771c0000		-1073741511	0