Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 28, 2021, 1:45 p.m.	Sept. 28, 2021, 2 p.m.

Size	162.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`99a3a6cca4b9fb67453930f721dfd151`
SHA256	`8680641d5644828bf4ed6bb714bf7fc8a018748e912b56745875e471e136c953`
CRC32	`A495572A`
ssdeep	`1536:PJwDItYBZDv8wsPuGNTePomiGfDO/f/6J1kODV8Q5XBA26P5V+N5Z1i2pplF/9PB:PA6YB5JKNq3iYO/X6r8HP5Vy7A2F0O`
PDB Path	C:\gak\womelifomenof nifumusiba\facomogic.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

vbc.exe "C:\Users\test22\AppData\Local\Temp\vbc.exe"
620

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\gak\womelifomenof nifumusiba\facomogic.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 28, 2021, 1:45 p.m.	process_identifier: 620 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_STRING

language

LANG_SAAMI

filetype

data

sublanguage

SUBLANG_ARABIC_LIBYA

offset

0x000ae0d0

size

0x0000038a

name

RT_ACCELERATOR

language

LANG_SAAMI

filetype

data

sublanguage

SUBLANG_ARABIC_LIBYA

offset

0x000adf00

size

0x00000020

name

RT_ACCELERATOR

language

LANG_SAAMI

filetype

data

sublanguage

SUBLANG_ARABIC_LIBYA

offset

0x000adf00

size

0x00000020

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00016c00', u'virtual_address': u'0x00001000', u'entropy': 7.743713336660948, u'name': u'.text', u'virtual_size': u'0x00016a50'}

entropy

7.74371333666

description

A section with a high entropy has been found

entropy

0.565217391304

description

Overall entropy of this PE file is high

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Lionic	Trojan.Win32.Androm.m!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37664395
FireEye	Generic.mg.99a3a6cca4b9fb67
ALYac	Trojan.GenericKD.37664395
Malwarebytes	Trojan.MalPack.GS
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005880fc1 )
Alibaba	Trojan:Application/Obfuscated.92d6738c
K7GW	Trojan ( 005880fc1 )
Cybereason	malicious.e02654
BitDefenderTheta	Gen:NN.ZexaF.34170.kq0@aKRVCbjO
Cyren	W32/Kryptik.EWJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMPX
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Filerepmalware-9897102-0
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
BitDefender	Trojan.GenericKD.37664395
Rising	Trojan.Kryptik!1.D9C1 (CLASSIC)
Ad-Aware	Trojan.GenericKD.37664395
Emsisoft	Trojan.Crypt (A)
Comodo	Malware@#34bes1uph19ad
McAfee-GW-Edition	BehavesLike.Win32.Emotet.cc
Sophos	Mal/Generic-S
Ikarus	Trojan.Crypt
Webroot	W32.Infostealer.Gen
Avira	TR/AD.LokiBot.hvbsa
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/Racealer.Q!MTB
Gridinsoft	Trojan.Win32.Kryptik.oa
GData	Trojan.GenericKD.37664395
Cynet	Malicious (score: 100)
AhnLab-V3	Infostealer/Win.SmokeLoader.R442914
Acronis	suspicious
McAfee	Packed-GDT!99A3A6CCA4B9
MAX	malware (ai score=100)
TrendMicro-HouseCall	TROJ_GEN.R002H0CIR21
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Kryptik.HMPU!tr
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All