Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 25, 2021, 10:55 a.m.	Sept. 25, 2021, 11:04 a.m.

Size	701.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9b1764b1cca5f1eb5946e182100681e4`
SHA256	`5aa958dc21c0a3d83b4a10f8e709f0d1ae3f63fb66074d97c7224e5c5cb16ada`
CRC32	`DAE923F5`
ssdeep	`12288:9ZxnhgINwTujDlmcKkUnSqEKXpmyQc2BYkwCRGslkAITxc+2iNhPFd9dP4gXIrDX:9znhg8IGUPFcY2BYNCQslkVKiNhPFflE`
PDB Path	C:\toromo_hu.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

UnpackChrome2009.exe "C:\Users\test22\AppData\Local\Temp\UnpackChrome2009.exe"
1016

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\toromo_hu.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 1016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 528384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 25, 2021, 10:55 a.m.	process_identifier: 1016 region_size: 581632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00081a00', u'virtual_address': u'0x00026000', u'entropy': 7.988489562855855, u'name': u'.data', u'virtual_size': u'0x0008f81c'}

entropy

7.98848956286

description

A section with a high entropy has been found

entropy

0.745506829619

description

Overall entropy of this PE file is high

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Agent.4!c
Elastic	malicious (high confidence)
DrWeb	BackDoor.Tofsee.199
MicroWorld-eScan	Trojan.GenericKD.37612709
FireEye	Generic.mg.9b1764b1cca5f1eb
CAT-QuickHeal	Trojan.Agent
McAfee	RDN/Generic PWS.y
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0058291f1 )
Alibaba	Ransom:Win32/StopCrypt.724c8876
K7GW	Trojan ( 0058291f1 )
Cybereason	malicious.942912
BitDefenderTheta	Gen:NN.ZexaF.34170.Ru1@aaYW!6fO
Cyren	W32/Kryptik.EYC.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMNW
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Fragtor-9895216-0
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKD.37612709
NANO-Antivirus	Trojan.Win32.Tofsee.jbxocj
Ad-Aware	Trojan.GenericKD.37612709
Emsisoft	Trojan.GenericKD.37612709 (B)
McAfee-GW-Edition	BehavesLike.Win32.MultiPlug.bc
Sophos	Mal/Generic-R + Troj/Krypt-CZ
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Agent.dnxg
eGambit	Unsafe.AI_Score_95%
Avira	TR/Crypt.Agent.knsmc
Kingsoft	Win32.Troj.Undef.(kcloud)
Microsoft	Ransom:Win32/StopCrypt.MGK!MTB
Gridinsoft	Trojan.Win32.Kryptik.ns
GData	Win32.Trojan.PSE.54LWUV
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Racealer.R442258
Acronis	suspicious
VBA32	Malware-Cryptor.Azorult.gen
MAX	malware (ai score=89)
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Ransom_StopCrypt.R002C0DIO21
Rising	Trojan.Kryptik!1.D975 (CLASSIC)
Ikarus	Trojan.Win32.Glupteba
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Kryptik.HMNW!tr
Webroot	W32.Trojan.TE
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]

UnpackChrome2009.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All