Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 1, 2021, 6:12 p.m.	Oct. 1, 2021, 6:18 p.m.

Size	324.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5861a5c311151e853ce704c5268981d6`
SHA256	`4f3ba9f2d7e8979ac9fe1be297c90314a2ee9065bfcf0073c2b1815c425b16db`
CRC32	`BC885AB7`
ssdeep	`6144:KeqYFeYWRTDsLsIuihb12aQhKVYZdq6TaB2RVbGaHk2fgJXHaE:Kt+/WRTi/QhJdqjy9P1`
PDB Path	C:\jajecedovije50\pubivinaficejo\cid-pufayijaw\yew.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
1800

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\jajecedovije50\pubivinaficejo\cid-pufayijaw\yew.pdb

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	AFX_DIALOG_LAYOUT
resource name	MUPOXAKOZEZUMEXUGOWERABUZALEZ
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 1, 2021, 6:12 p.m.	process_identifier: 1800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009aa000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 1, 2021, 6:12 p.m.	process_identifier: 1800 region_size: 286720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (8 events)

name

AFX_DIALOG_LAYOUT

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479b70

size

0x00000002

name

MUPOXAKOZEZUMEXUGOWERABUZALEZ

language

LANG_MONGOLIAN

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x004797f0

size

0x000002fa

name

RT_CURSOR

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479b78

size

0x00000130

name

RT_ACCELERATOR

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479af0

size

0x00000060

name

RT_GROUP_CURSOR

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479ca8

size

0x00000014

name

RT_VERSION

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479cc0

size

0x00000130

name

None

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479b60

size

0x0000000a

name

None

language

LANG_MONGOLIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00479b60

size

0x0000000a

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00026000', u'virtual_address': u'0x00023000', u'entropy': 7.924335465423537, u'name': u'.data', u'virtual_size': u'0x00452b20'}

entropy

7.92433546542

description

A section with a high entropy has been found

entropy

0.470588235294

description

Overall entropy of this PE file is high

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Agent.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Stop.Z5
McAfee	Packed-GDT!5861A5C31115
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Agent.DLJ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HMRV
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Exploit.Win32.Shellcode.gen
BitDefender	Gen:Variant.Fragtor.27383
MicroWorld-eScan	Gen:Variant.Fragtor.27383
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Gen:Variant.Fragtor.27383
Emsisoft	Gen:Variant.Fragtor.27383 (B)
DrWeb	Trojan.DownLoader42.62977
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
FireEye	Generic.mg.5861a5c311151e85
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
GData	Gen:Variant.Fragtor.27383
Webroot	W32.Trojan.Gen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
ZoneAlarm	HEUR:Exploit.Win32.Shellcode.gen
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.34170.uuW@aO7N@8bO
ALYac	Gen:Variant.Fragtor.27383
MAX	malware (ai score=87)
Rising	Trojan.Kryptik!1.D9CF (CLASSIC)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Agent.DLJ!tr
AVG	Win32:PWSX-gen [Trj]

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All