Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 23, 2021, 6:49 p.m.	Sept. 23, 2021, 6:51 p.m.

Size	5.7MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`61d5e32562d1c70daf0a3112f7888258`
SHA256	`da012f669961c3631b10dd147f38ca34796c40692e01b51dd206f6a5b755e605`
CRC32	`B67AF353`
ssdeep	`49152:wDK8merb/T/vO90dL3BmAFd4A64nsfJdo5GQ5shfTuU92flI7MhhaftEhamnybrN:wD+3eGLmAQQQQQQQQQQQQQ`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware anti_vm_detect - Possibly employs anti-virtualization techniques Malicious_Library_Zero - Malicious_Library NPKI_Zero - File included NPKI

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

section

.symtab

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 23, 2021, 6:49 p.m.	process_identifier: 1460 region_size: 2424832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 6:49 p.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 6:49 p.m.	process_identifier: 1460 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000028690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 23, 2021, 6:49 p.m.	process_identifier: 1460 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000286b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Sept. 23, 2021, 6:49 p.m.	ordinal: 0 function_address: 0x000007feff1a7a50 function_name: wine_get_version module: ntdll module_address: 0x0000000077900000		-1073741511	0

Lionic	Trojan.Win32.Cobalt.trRF
Elastic	malicious (high confidence)
DrWeb	PowerShell.Inject.56
MicroWorld-eScan	Trojan.GenericKD.37622204
FireEye	Trojan.GenericKD.37622204
ALYac	Trojan.GenericKD.37622204
Cylance	Unsafe
Alibaba	Trojan:Win64/GoCLR.6449f04d
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of WinGo/GoCLR.B
APEX	Malicious
ClamAV	Win.Malware.Bulz-9847817-0
Kaspersky	Trojan-Dropper.MSIL.Agent.seskpm
BitDefender	Trojan.GenericKD.37622204
Avast	Win64:Trojan-gen
Ad-Aware	Trojan.GenericKD.37622204
Comodo	TrojWare.Win32.UMal.ccqsp@0
McAfee-GW-Edition	BehavesLike.Win64.Generic.th
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Generic.gzxxe
eGambit	Unsafe.AI_Score_100%
Avira	TR/Redcap.haptz
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Gridinsoft	Trojan.Win64.Agent.oa
GData	Trojan.GenericKD.37622204
AhnLab-V3	Trojan/Win.Agent.R442164
McAfee	Artemis!61D5E32562D1
MAX	malware (ai score=81)
Malwarebytes	Malware.AI.4021206680
TrendMicro-HouseCall	TROJ_GEN.R002H0DIM21
Rising	HackTool.GoCLR!1.D71D (CLASSIC)
Ikarus	Trojan.WinGo.Goclr
Fortinet	W64/GoCLR.B!tr
AVG	Win64:Trojan-gen
CrowdStrike	win/malicious_confidence_60% (W)

68yhrfd.exe