popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

398562008.exe

Malicious Library OS Processor Check JPEG Format PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 6, 2021, 1:23 p.m. Oct. 6, 2021, 1:30 p.m.
Size 2.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e7c85909bd98c3b3d5b1cd85f55023dc
SHA256 adfe4bb2ea2462bd0a996d8152a239c69354975ff911c80c1ca5bec6f63fb076
CRC32 395B0402
ssdeep 49152:5unKcQRDlD3e0ufj+XYrbPehaZ4Z5Nxf5fM+5CIdAe:5KCtlDOh6Yuh5nfFbC4
PDB Path D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d3000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1040
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04ea0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10902646784
free_bytes_available: 10902646784
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Temp\RarSFX0\foto s‮gpj.exe
file C:\Users\test22\AppData\Local\Temp\RarSFX0\home.jpg
file C:\Users\test22\AppData\Local\Temp\RarSFX0\Me and sauna.jpg
file C:\Users\test22\AppData\Local\Temp\RarSFX0\sexe dress.jpg
section {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x00068000', u'entropy': 6.802778256495424, u'name': u'.rsrc', u'virtual_size': u'0x0000e038'} entropy 6.8027782565 description A section with a high entropy has been found
entropy 0.214015151515 description Overall entropy of this PE file is high
file C:\Users\test22\AppData\Local\Temp\RarSFX0\sexe dress.jpg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37697277
FireEye Generic.mg.e7c85909bd98c3b3
Sangfor Suspicious.Win32.Save.a
Cybereason malicious.6e1770
ESET-NOD32 a variant of Win32/Kryptik.HMRW
APEX Malicious
Kaspersky HEUR:Trojan-PSW.Win32.Reline.gen
BitDefender Trojan.GenericKD.37697277
Avast Win32:PWSX-gen [Trj]
Rising Trojan.Generic@ML.83 (RDML:BdObePV6+mFFhvyt6xkJ3g)
Sophos Generic ML PUA (PUA)
DrWeb Trojan.PWS.Steam.20749
TrendMicro HEUR_RLOTRICK.A
McAfee-GW-Edition BehavesLike.Win32.Generic.tc
Emsisoft Trojan.GenericKD.37697277 (B)
SentinelOne Static AI - Malicious PE
Jiangmin Suspect.RLO
Avira TR/AD.RedLineSteal.fptnj
Microsoft Trojan:Win32/Sabsik.FL.B!ml
GData MSIL.Trojan-Stealer.Redline.XBRA5N
Cynet Malicious (score: 100)
MAX malware (ai score=83)
Malwarebytes Malware.AI.4202347060
TrendMicro-HouseCall TROJ_GEN.R002H0CJ121
Fortinet W32/Kryptik.FLKJ!tr
BitDefenderTheta Gen:NN.ZexaF.34170.Su0@a04FSrdk
AVG Win32:PWSX-gen [Trj]