Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 7, 2021, 1:12 p.m.	Oct. 7, 2021, 1:14 p.m.

Size	824.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f01f582a8ec6b760ebfb59eda10b0b43`
SHA256	`f46f584cef57a71647f5a7738c6489c7f36e8c9830c327fa18d565487b2b8964`
CRC32	`0655AFBF`
ssdeep	`12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEt888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNl`
Yara	Malicious_Packer_Zero - Malicious Packer Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 7, 2021, 1:06 p.m.	total_number_of_free_bytes: 13673046016 free_bytes_available: 13673046016 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk

Creates a slightly modified copy of itself (13 events)

description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'17706fc32978d92a61489f32403cf52fd305c2bd', u'name': u'2b40d97fdfebdfd6_pafish.exe', u'filepath': u'C:\\util\\pafish.exe', u'sha512': u'd41cc6a5ba8ad21d38dc103663e193c3f2a4ee8ea9d5aa4bb339bc405b2c0fce75d52c342644e022ab7f0e025bc3931d1a00c91d2deade277e1c3ed06ddd5c47', u'urls': [], u'crc32': u'0226FFEB', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/2b40d97fdfebdfd6_pafish.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEb888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNP', u'sha256': u'2b40d97fdfebdfd619b51a981d1a97040f2157af87a8fe74a831778bd013be00', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'ce3d0caa8ffa2615b3e8b712c7a87b3c', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'2ccd98fe2680bcbce7cd3f49fcdcf0b83c848974', u'name': u'9a9f3c506431d1ae_javaws.exe', u'filepath': u'C:\\Program Files\\Java\\jre7\\bin\\javaws.exe', u'sha512': u'021ab443c967ad830ec5324a7fd14bd97bd92eae2cc54dff345b3f6d0351c306fd9cafbfb5b48b8d7a3109b410d8ed1b6e8f26ed55537812442e775567b32a1a', u'urls': [], u'crc32': u'1D0AE1BC', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/9a9f3c506431d1ae_javaws.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEQS888888888888W888888E:eNzCtUpQ9WWPBSSRMTEpMNR', u'sha256': u'9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'74c44cbff4294b7a9f615fdae03b70ca', u'virustotal': {u'scan_id': u'9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2-1448295665', u'sha1': u'2ccd98fe2680bcbce7cd3f49fcdcf0b83c848974', u'resource': u'74c44cbff4294b7a9f615fdae03b70ca', u'verbose_msg': u'Scan finished, information embedded', u'response_code': 1, u'scan_date': u'2015-11-23 16:21:05', u'permalink': u'https://www.virustotal.com/gui/file/9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2/detection/f-9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2-1448295665', u'summary': {u'positives': 48, u'permalink': u'https://www.virustotal.com/gui/file/9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2/detection/f-9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2-1448295665', u'scan_date': u'2015-11-23 16:21:05'}, u'total': 56, u'positives': 48, u'sha256': u'9a9f3c506431d1aea14b7cd2056df38dfea829469550005b6b0a1df4d94b26a2', u'md5': u'74c44cbff4294b7a9f615fdae03b70ca', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.7383', u'result': u'W32.MafocenMV.RSF', u'update': u'20151123'}, u'Lionic': {u'detected': False, u'version': u'1.5', u'result': None, u'update': u'20151123'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'12.0.250.0', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'nProtect': {u'detected': True, u'version': u'2015-11-23.01', u'result': u'Trojan/W32.Agent.844288.Y', u'update': u'20151123'}, u'CMC': {u'detected': True, u'version': u'1.1.0.977', u'result': u'Virus.Win32.Renamer!O', u'update': u'20151118'}, u'CAT-QuickHeal': {u'detected': True, u'version': u'14.00', u'result': u'W32.Pintu.A', u'update': u'20151123'}, u'ALYac': {u'detected': True, u'version': u'1.0.1.5', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'Malwarebytes': {u'detected': True, u'version': u'2.1.1.1115', u'result': u'Trojan.Injector.DF', u'update': u'20151123'}, u'Zillya': {u'detected': False, u'version': u'2.0.0.2526', u'result': None, u'update': u'20151123'}, u'TheHacker': {u'detected': False, u'version': u'6.8.0.5.731', u'result': None, u'update': u'20151121'}, u'Alibaba': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20151127'}, u'K7GW': {u'detected': True, u'version': u'9.212.17943', u'result': u'Virus ( 0040f9341 )', u'update': u'20151123'}, u'K7AntiVirus': {u'detected': True, u'version': u'9.212.17942', u'result': u'Virus ( 0040f9341 )', u'update': u'20151123'}, u'Agnitum': {u'detected': False, u'version': u'5.5.1.3', u'result': None, u'update': u'20151122'}, u'F-Prot': {u'detected': True, u'version': u'4.7.1.166', u'result': u'W32/Autorun.ZF', u'update': u'20151123'}, u'Symantec': {u'detected': True, u'version': u'20151.1.0.32', u'result': u'W32.Tapin', u'update': u'20151122'}, u'ByteHero': {u'detected': False, u'version': u'1.0.0.1', u'result': None, u'update': u'20151123'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'9.800.0.1009', u'result': u'WORM_RENAMER.AD', u'update': u'20151123'}, u'Avast': {u'detected': True, u'version': u'8.0.1489.320', u'result': u'Win32:AutoRun-CWJ [Trj]', u'update': u'20151123'}, u'ClamAV': {u'detected': True, u'version': u'0.98.5.0', u'result': u'WIN.Virus.Tainp', u'update': u'20151123'}, u'Kaspersky': {u'detected': True, u'version': u'15.0.1.10', u'result': u'Virus.Win32.Renamer.j', u'update': u'20151123'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'NANO-Antivirus': {u'detected': True, u'version': u'0.30.26.4751', u'result': u'Virus.Win32.Renamer.lxyhd', u'update': u'20151123'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20151123'}, u'Rising': {u'detected': True, u'version': u'25.0.0.18', u'result': u'PE:Trojan.Win32.StealIcon!1.6A68 [F]', u'update': u'20151122'}, u'Ad-Aware': {u'detected': True, u'version': u'12.0.163.0', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'Sophos': {u'detected': True, u'version': u'4.98.0', u'result': u'W32/Renamer-L', u'update': u'20151123'}, u'Comodo': {u'detected': True, u'version': u'23644', u'result': u'TrojWare.Win32.Spy.E', u'update': u'20151123'}, u'F-Secure': {u'detected': True, u'version': u'11.0.19100.45', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'DrWeb': {u'detected': True, u'version': u'7.0.16.10090', u'result': u'Trojan.Siggen3.6026', u'update': u'20151123'}, u'VIPRE': {u'detected': True, u'version': u'45376', u'result': u'Virus.Win32.Pintu.a (v)', u'update': u'20151123'}, u'TrendMicro': {u'detected': True, u'version': u'9.740.0.1012', u'result': u'WORM_RENAMER.AD', u'update': u'20151123'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2015', u'result': u'W32/Tainp.a', u'update': u'20151123'}, u'Emsisoft': {u'detected': True, u'version': u'3.5.0.642', u'result': u'Trojan.Generic.KDV.391478 (B)', u'update': u'20151123'}, u'Cyren': {u'detected': True, u'version': u'5.4.16.7', u'result': u'W32/Autorun.YQXC-6672', u'update': u'20151123'}, u'Jiangmin': {u'detected': True, u'version': u'16.0.100', u'result': u'Trojan/Genome.annf', u'update': u'20151122'}, u'Avira': {u'detected': True, u'version': u'8.3.2.4', u'result': u'TR/ATRAPS.Gen', u'update': u'20151123'}, u'Fortinet': {u'detected': True, u'version': u'5.1.220.0', u'result': u'W32/AutoRun.SOT!tr', u'update': u'20151123'}, u'Antiy-AVL': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Virus/Win32.Renamer.j', u'update': u'20151123'}, u'Arcabit': {u'detected': True, u'version': u'1.0.0.597', u'result': u'Trojan.Generic.KDV.D5F936', u'update': u'20151123'}, u'SUPERAntiSpyware': {u'detected': True, u'version': u'5.6.0.1032', u'result': u'Trojan.Agent/Gen-Pintu', u'update': u'20151123'}, u'AhnLab-V3': {u'detected': True, u'version': u'2015.11.24.00', u'result': u'Win32/Unruy.H', u'update': u'20151123'}, u'Microsoft': {u'detected': True, u'version': u'1.1.12300.0', u'result': u'Virus:Win32/Grenam.B', u'update': u'20151123'}, u'TotalDefense': {u'detected': True, u'version': u'37.1.62.1', u'result': u'Win32/Pintu.A', u'update': u'20151123'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'W32/Tainp.a', u'update': u'20151123'}, u'AVware': {u'detected': True, u'version': u'1.5.0.21', u'result': u'Virus.Win32.Pintu.a (v)', u'update': u'20151123'}, u'VBA32': {u'detected': True, u'version': u'3.12.26.4', u'result': u'Virus.Renamer.13219', u'update': u'20151123'}, u'Panda': {u'detected': True, u'version': u'4.6.4.2', u'result': u'Trj/Dtcontx.I', u'update': u'20151123'}, u'Zoner': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20151123'}, u'ESET-NOD32': {u'detected': True, u'version': u'12611', u'result': u'Win32/AutoRun.Delf.LV', u'update': u'20151123'}, u'Tencent': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Win32.Virus.Renamer.Aisa', u'update': u'20151123'}, u'Ikarus': {u'detected': True, u'version': u'T3.1.9.5.0', u'result': u'Virus.Win32.Pintu', u'update': u'20151123'}, u'GData': {u'detected': True, u'version': u'25', u'result': u'Trojan.Generic.KDV.391478', u'update': u'20151123'}, u'AVG': {u'detected': True, u'version': u'16.0.0.4460', u'result': u'Generic_s.SN', u'update': u'20151123'}, u'Baidu-International': {u'detected': True, u'version': u'3.5.1.41473', u'result': u'Virus.Win32.Renamer.AV', u'update': u'20151123'}, u'Qihoo-360': {u'detected': True, u'version': u'1.0.0.1077', u'result': u'QVM05.1.Malware.Gen', u'update': u'20151123'}}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'5cb723067dc43749e749ded0488a3edbc66d1234', u'name': u'852815cb00d27b92_procmon.exe', u'filepath': u'C:\\tmptgehzx\\bin\\Procmon.exe', u'sha512': u'7f94141965c08db155d7d1bfb6dad781a6935d9e0f4d6615c1564128af8b2f12381c3648a53f09b0cb7cc0c56cba760c984d0a27e992317ffe1a1e1cff0a594e', u'urls': [], u'crc32': u'434EDAC0', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/852815cb00d27b92_procmon.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozE0888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNG', u'sha256': u'852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'ac04a3b820e15e621538aef9f83ade10', u'virustotal': {u'scan_id': u'852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91-1509051013', u'sha1': u'5cb723067dc43749e749ded0488a3edbc66d1234', u'resource': u'ac04a3b820e15e621538aef9f83ade10', u'verbose_msg': u'Scan finished, information embedded', u'response_code': 1, u'scan_date': u'2017-10-26 20:50:13', u'permalink': u'https://www.virustotal.com/gui/file/852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91/detection/f-852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91-1509051013', u'summary': {u'positives': 61, u'permalink': u'https://www.virustotal.com/gui/file/852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91/detection/f-852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91-1509051013', u'scan_date': u'2017-10-26 20:50:13'}, u'total': 68, u'positives': 61, u'sha256': u'852815cb00d27b92033852ef4f14fdbc8d3ab1d6b2529d81aec67283853a5f91', u'md5': u'ac04a3b820e15e621538aef9f83ade10', u'scans': {u'Bkav': {u'detected': True, u'version': u'1.3.0.9367', u'result': u'W32.MafocenMV.RSF', u'update': u'20171025'}, u'Lionic': {u'detected': True, u'version': u'4.2', u'result': u'Troj.W32.Scar.lCUC', u'update': u'20171026'}, u'MicroWorld-eScan': {u'detected': True, u'version': u'14.0.297.0', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'nProtect': {u'detected': True, u'version': u'2017-10-26.02', u'result': u'Trojan/W32.Agent.844288.Y', u'update': u'20171026'}, u'CMC': {u'detected': True, u'version': u'1.1.0.977', u'result': u'Virus.Win32.Renamer!O', u'update': u'20171026'}, u'CAT-QuickHeal': {u'detected': True, u'version': u'14.00', u'result': u'W32.Pintu.A', u'update': u'20171026'}, u'McAfee': {u'detected': True, u'version': u'6.0.6.653', u'result': u'W32/Tainp.a', u'update': u'20171026'}, u'Malwarebytes': {u'detected': True, u'version': u'2.1.1.1115', u'result': u'Trojan.Injector.DF', u'update': u'20171026'}, u'VIPRE': {u'detected': True, u'version': u'61998', u'result': u'Virus.Win32.Pintu.a (v)', u'update': u'20171026'}, u'K7AntiVirus': {u'detected': True, u'version': u'10.29.25057', u'result': u'Virus ( 0040f9341 )', u'update': u'20171026'}, u'K7GW': {u'detected': True, u'version': u'10.29.25057', u'result': u'Virus ( 0040f9341 )', u'update': u'20171026'}, u'TheHacker': {u'detected': True, u'version': u'6.8.0.5.2085', u'result': u'Trojan/AutoRun.Delf.lv', u'update': u'20171024'}, u'Arcabit': {u'detected': True, u'version': u'1.0.0.827', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'TrendMicro': {u'detected': True, u'version': u'9.862.0.1074', u'result': u'WORM_RENAMER.AD', u'update': u'20171026'}, u'Baidu': {u'detected': True, u'version': u'1.0.0.2', u'result': u'Win32.Worm.AutoRun.bu', u'update': u'20171026'}, u'F-Prot': {u'detected': True, u'version': u'4.7.1.166', u'result': u'W32/Autorun.ZF', u'update': u'20171026'}, u'Symantec': {u'detected': True, u'version': u'1.4.0.0', u'result': u'W32.Tapin', u'update': u'20171026'}, u'TotalDefense': {u'detected': True, u'version': u'37.1.62.1', u'result': u'Win32/Pintu.A', u'update': u'20171026'}, u'TrendMicro-HouseCall': {u'detected': True, u'version': u'9.950.0.1006', u'result': u'WORM_RENAMER.AD', u'update': u'20171026'}, u'Paloalto': {u'detected': False, u'version': u'1.0', u'result': None, u'update': u'20171026'}, u'ClamAV': {u'detected': True, u'version': u'0.99.2.0', u'result': u'Win.Virus.Tainp-1', u'update': u'20171026'}, u'Kaspersky': {u'detected': True, u'version': u'15.0.1.13', u'result': u'Virus.Win32.Renamer.j', u'update': u'20171026'}, u'BitDefender': {u'detected': True, u'version': u'7.2', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'NANO-Antivirus': {u'detected': True, u'version': u'1.0.100.19905', u'result': u'Virus.Win32.Renamer.lxyhd', u'update': u'20171026'}, u'ViRobot': {u'detected': False, u'version': u'2014.3.20.0', u'result': None, u'update': u'20171026'}, u'Rising': {u'detected': True, u'version': u'25.0.0.1', u'result': u'Trojan.Win32.StealIcon!1.6A68 (CLASSIC)', u'update': u'20171026'}, u'Ad-Aware': {u'detected': True, u'version': u'3.0.3.1010', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'Emsisoft': {u'detected': True, u'version': u'4.0.1.883', u'result': u'Trojan.Agent.CBGZ (B)', u'update': u'20171026'}, u'Comodo': {u'detected': True, u'version': u'27954', u'result': u'TrojWare.Win32.Spy.E', u'update': u'20171026'}, u'F-Secure': {u'detected': True, u'version': u'11.0.19100.45', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'DrWeb': {u'detected': True, u'version': u'7.0.28.2020', u'result': u'Trojan.Siggen6.55368', u'update': u'20171026'}, u'Zillya': {u'detected': True, u'version': u'2.0.0.3415', u'result': u'Adware.BrowseFox.Win32.247786', u'update': u'20171026'}, u'Invincea': {u'detected': True, u'version': u'6.3.1.25473', u'result': u'heuristic', u'update': u'20170914'}, u'McAfee-GW-Edition': {u'detected': True, u'version': u'v2015', u'result': u'BehavesLike.Win32.Gnamer.ch', u'update': u'20171026'}, u'Sophos': {u'detected': True, u'version': u'4.98.0', u'result': u'W32/Renamer-M', u'update': u'20171026'}, u'Ikarus': {u'detected': True, u'version': u'0.1.5.2', u'result': u'Virus.Win32.Renamer', u'update': u'20171026'}, u'Cyren': {u'detected': True, u'version': u'5.4.30.7', u'result': u'W32/Autorun.YQXC-6672', u'update': u'20171026'}, u'Jiangmin': {u'detected': True, u'version': u'16.0.100', u'result': u'Trojan/Genome.axcm', u'update': u'20171026'}, u'Webroot': {u'detected': True, u'version': u'1.0.0.207', u'result': u'W32.Suspicious.Heur', u'update': u'20171026'}, u'Avira': {u'detected': True, u'version': u'8.3.3.6', u'result': u'TR/BAS.Samca.11012785', u'update': u'20171026'}, u'Fortinet': {u'detected': True, u'version': u'5.4.247.0', u'result': u'W32/AutoRun.SOT!tr', u'update': u'20171026'}, u'Antiy-AVL': {u'detected': True, u'version': u'3.0.0.1', u'result': u'Virus/Win32.Renamer.j', u'update': u'20171026'}, u'Kingsoft': {u'detected': False, u'version': u'2013.8.14.323', u'result': None, u'update': u'20171026'}, u'Endgame': {u'detected': True, u'version': u'1.1.3', u'result': u'malicious (high confidence)', u'update': u'20171024'}, u'Microsoft': {u'detected': True, u'version': u'1.1.14305.0', u'result': u'Virus:Win32/Grenam.B', u'update': u'20171026'}, u'SUPERAntiSpyware': {u'detected': True, u'version': u'5.6.0.1032', u'result': u'Trojan.Agent/Gen-Pintu', u'update': u'20171026'}, u'ZoneAlarm': {u'detected': True, u'version': u'1.0', u'result': u'Virus.Win32.Renamer.j', u'update': u'20171026'}, u'Avast-Mobile': {u'detected': False, u'version': u'171026-06', u'result': None, u'update': u'20171026'}, u'AhnLab-V3': {u'detected': True, u'version': u'3.10.1.19007', u'result': u'Win32/Unruy.H', u'update': u'20171026'}, u'ALYac': {u'detected': True, u'version': u'1.1.1.2', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'AVware': {u'detected': True, u'version': u'1.5.0.42', u'result': u'Virus.Win32.Pintu.a (v)', u'update': u'20171026'}, u'MAX': {u'detected': True, u'version': u'2017.6.26.1', u'result': u'malware (ai score=86)', u'update': u'20171026'}, u'VBA32': {u'detected': True, u'version': u'3.12.26.4', u'result': u'Virus.Renamer.13219', u'update': u'20171026'}, u'Cylance': {u'detected': True, u'version': u'2.3.1.101', u'result': u'Unsafe', u'update': u'20171026'}, u'WhiteArmor': {u'detected': False, u'version': None, u'result': None, u'update': u'20171024'}, u'Panda': {u'detected': True, u'version': u'4.6.4.2', u'result': u'Trj/Dtcontx.I', u'update': u'20171026'}, u'Zoner': {u'detected': True, u'version': u'1.0', u'result': u'Trojan.Agent', u'update': u'20171026'}, u'ESET-NOD32': {u'detected': True, u'version': u'16308', u'result': u'Win32/AutoRun.Delf.LV', u'update': u'20171026'}, u'Tencent': {u'detected': True, u'version': u'1.0.0.1', u'result': u'Virus.Win32.Renamer.b', u'update': u'20171026'}, u'Yandex': {u'detected': False, u'version': u'5.5.1.3', u'result': None, u'update': u'20171025'}, u'SentinelOne': {u'detected': True, u'version': u'1.0.7.157', u'result': u'static engine - malicious', u'update': u'20171019'}, u'eGambit': {u'detected': False, u'version': u'v4.2.4', u'result': None, u'update': u'20171026'}, u'GData': {u'detected': True, u'version': u'A:25.14599B:25.10746', u'result': u'Trojan.Agent.CBGZ', u'update': u'20171026'}, u'AVG': {u'detected': True, u'version': u'17.7.3660.0', u'result': u'Win32:AutoRun-CWJ [Trj]', u'update': u'20171026'}, u'Cybereason': {u'detected': True, u'version': u'0.0.772', u'result': u'malicious.1b8fb7', u'update': u'20170628'}, u'Avast': {u'detected': True, u'version': u'17.7.3660.0', u'result': u'Win32:AutoRun-CWJ [Trj]', u'update': u'20171026'}, u'CrowdStrike': {u'detected': True, u'version': u'1.0', u'result': u'malicious_confidence_100% (D)', u'update': u'20171016'}, u'Qihoo-360': {u'detected': True, u'version': u'1.0.0.1120', u'result': u'HEUR/QVM05.1.C441.Malware.Gen', u'update': u'20171026'}}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'3c8f801d59898fbf9a8fcc3472b9a6a7032a4192', u'name': u'1495597e370a2fbd_procexp.exe', u'filepath': u'C:\\util\\ProcExp.exe', u'sha512': u'62ce984608070d02573ed916288c0759472208046eab347cd981946301cfee7b05a13c7bf729db16e09612573c360cbaa208f7f6878e20aac29e5b560a87b6c3', u'urls': [], u'crc32': u'E41243A4', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/1495597e370a2fbd_procexp.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozET888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNn', u'sha256': u'1495597e370a2fbdbe6394fba5be79889f9b73fed62c34e8c0943d89fbd81d24', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'1fd1f699139644119b0df5ab9754f1a6', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'c2e6608d96aa55ad01032bcc12594be00c9b2262', u'name': u'23163fab868e5125_python.exe', u'filepath': u'C:\\Python27\\python.exe', u'sha512': u'8dc4efad0dc96cfe8821d987f3fb849e1d7df150d792594c37a4b7f38f44e608ed7bc3bbb7d0e3faa467160cc77ae4ccab423d28b874f5e9162eb37354415f3b', u'urls': [], u'crc32': u'81C98932', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/23163fab868e5125_python.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozE/888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNL', u'sha256': u'23163fab868e512573e8cb30c827dd3707942513950608e24c2a237fecf5d3b6', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'06a0b571d9f8c42740d5e1e6e55e576d', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'07bd6610e70000c1c5db8f566c72761cac99f57b', u'name': u'3a870c4590ed222c_msoxmled.exe', u'filepath': u'C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE12\\MSOXMLED.EXE', u'sha512': u'e37f5e0f2db2a40296c2cacc98b54b3c6f9e985e58503fe859b658ee7e0127c44ebb2476f9c02814074f957088407c623f231fcb39f6b8dbc9c34c8acd04201f', u'urls': [], u'crc32': u'99B4599F', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/3a870c4590ed222c_msoxmled.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEq888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNw', u'sha256': u'3a870c4590ed222c79ef8de9500836a3f0e9dcb3f7b6d0576744fe2711bc4c76', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'3298a69fce979c620cad367690a2fc92', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'852879a7a5bdb956fa3f4ed42c99562af64a16a6', u'name': u'4beadf0b634feab7_7zfm.exe', u'filepath': u'C:\\Program Files\\7-Zip\\7zFM.exe', u'sha512': u'29c6c63ba82b1c303f4bd4db4db75108dcce3d4854b7b3cdcb021839f322b82473894e1e343337c61a4e3cfcd36f356fcae5524b90cdad88587332e9ff4d4141', u'urls': [], u'crc32': u'4AF09BCB', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/4beadf0b634feab7_7zfm.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozE1888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNt', u'sha256': u'4beadf0b634feab7c9f87857472d55a00c71700ddc632a5f184e5bf6d74b58da', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'6fe4579b0c84a36d6a23b1fe579d252e', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'886152cab3802033383860a99968f627a34c21ce', u'name': u'2cec7f1cb43d82b2_mini-kms_activator_v1.1_office.2010.vl.eng.exe', u'filepath': u'C:\\util\\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.exe', u'sha512': u'1fd621b429e8b1c553bcd91afed22243dd9db2340c0c54c188c4e13bb88eecaf811c5dcce6cfaa51958ad9930592388a646eb4ac10a3af6168ea6f030b6d0596', u'urls': [], u'crc32': u'5DE9A894', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/2cec7f1cb43d82b2_mini-kms_activator_v1.1_office.2010.vl.eng.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEo888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNC', u'sha256': u'2cec7f1cb43d82b2d9d0288dcbb2fc691661014bf01d3388f98dfa726ba6ad37', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'172a320002ffaa1c4fe602011e05c1c1', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'e6c6811750095595f54fd4d94bab5e2688d5b3f6', u'name': u'138705d5f66a7538_dotnet4.5.exe', u'filepath': u'C:\\util\\dotnet4.5.exe', u'sha512': u'6160dae80c2df2eaab5f95d66784a5991f01591ec10a7ac7ffc5a494412d28157df18d2439d106933fb0d7ce204ebfc83d7d86d227af405845c949610ac52dc6', u'urls': [], u'crc32': u'83FCA6FE', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/138705d5f66a7538_dotnet4.5.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEH888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNz', u'sha256': u'138705d5f66a7538dcfdc03089b961c1b486359414ccc9669073397ae1167aa2', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'553ad01faf0e85d1cec0bc0818c9e2ca', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'4a1ddf0905d4d2ff8dee0f06f7d780e821fdde9b', u'name': u'868d4581f7c8664a_uninst.exe', u'filepath': u'C:\\Program Files\\HashTab Shell Extension\\uninst.exe', u'sha512': u'99397f8eb7238226a91834e33c36ad0e1dfe26a37cd71a0ccb60d367cbb896166b784a4c4eda232b7df36f95a5322ef2947d6a26a8aeb545fa66e2dd8ba6bad8', u'urls': [], u'crc32': u'4C10BDCB', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/868d4581f7c8664a_uninst.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozE2888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNk', u'sha256': u'868d4581f7c8664a46ddf38c0a369524c350d272ae3b4a5794b054111d1a150a', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'd6bd041f02f5fcdd8eabcacdd73e9ec7', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'4010357ff0b08290352f28fa4eb499a664ba0e67', u'name': u'1889ccb4720d33af_uninstall.exe', u'filepath': u'C:\\Program Files\\7-Zip\\Uninstall.exe', u'sha512': u'ec6861d064f6888fda3231942a45670266edf7969be0cc2cddb1f0e91850b0946a234fbef2e4e50feed4e7f40a949ca01b9f92daf3e9dd84d31d8975a298ed7c', u'urls': [], u'crc32': u'BDF97055', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/1889ccb4720d33af_uninstall.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozET888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNn', u'sha256': u'1889ccb4720d33afeeae3cdbb9db2d7202c2da3d1286bcf0aaa87d2616ebe532', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'9f54e6a5142988df26078e39ae56809a', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'5da79e47a8ede39d5e74b77b0174bb51e4798d6a', u'name': u'04f517770bc3ac2a_pip2.exe', u'filepath': u'C:\\Python27\\Scripts\\pip2.exe', u'sha512': u'14d07001105070ccef2da796bffbc8bc692c8054b4390f4d70818af664586badc44779d7cdc64b3e8bffcb270976138ce5ec7db4311a20d259893ad2f6a55198', u'urls': [], u'crc32': u'61A70BC2', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/04f517770bc3ac2a_pip2.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozEH888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNz', u'sha256': u'04f517770bc3ac2a5cae10168a6fad983b92c582bb441dd30296052706f8f31e', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'db1cb7225c5582612c0c7d4f8d9be67b', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}
description	Possibly a polymorphic version of itself	file	{u'size': 844288, u'yara': [{u'strings': [u'Zm9ybWlu'], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o105': [[428546L, 0]]}}, {u'strings': [u'OUk5UTlZOWE5aTk='], u'meta': {u'date': u'2021-05-31', u'hash': u'b1d319888860b7a6400c5e5099d59e48', u'description': u'Admin Tool Sysinternals', u'author': u'r0d'}, u'name': u'Admin_Tool_IN_Zero', u'offsets': {u's23': [[727645L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}, {u'strings': [u'QXV0b21h'], u'meta': {u'date': u'2021-05-13', u'update': u'2021-06-22', u'description': u'UPX packed file', u'author': u'r0d'}, u'name': u'UPX_Zero', u'offsets': {u's49': [[360679L, 0], [406976L, 0]]}}, {u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'OC05MTk1OTk5PTlBOUU5STlNOVE5VTlZOV05YTllOWk5bTlxOQ==', u'R2V0TW9kdWxlRg=='], u'meta': {u'date': u'2021-03-11', u'description': u'Malicious_Library', u'author': u'r0d'}, u'name': u'Malicious_Library_Zero', u'offsets': {u'o27': [[773411L, 0]], u'o77': [[714200L, 1], [719828L, 1]]}}], u'sha1': u'30a056676e9ec08ca87e491309069e0e5a040c87', u'name': u'ff7c626a9699a889_imecfmui.exe', u'filepath': u'C:\\Program Files\\Common Files\\Microsoft Shared\\IME12\\SHARED\\IMECFMUI.EXE', u'sha512': u'62ab6596e6da6f9b54f590cadbae2c4264a7f67c4932939bd74f0172a9fcaf9f3e1763643825635db36935ff74434de20ab800031722bfc56479400b4c4ce764', u'urls': [], u'crc32': u'417A5A6D', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/17048/files/ff7c626a9699a889_imecfmui.exe', u'ssdeep': u'12288:OwCBtLC+EptUpQ9SeSChq3YvxFBSSRMT8PTp4FhozET888888888888W8888888J:eNzCtUpQ9WWPBSSRMTEpMNn', u'sha256': u'ff7c626a9699a8897a030abff9538c73e7c2b41e38d1f4cc92de0132a87cd6f0', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [1016], u'md5': u'cb7cb03ea404f5c12ff68a1461339d81', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.MafocenMV.RSF
Lionic	Virus.Win32.Renamer.lCUC
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	W32.Grenam.A13
McAfee	W32/Tainp.a
Malwarebytes	Renamer.Virus.FileInfector.DDS
VIPRE	Virus.Win32.Pintu.a (v)
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Virus:Win32/Renamer.40f365fe
K7GW	Virus ( 0040f9341 )
K7AntiVirus	Virus ( 0040f9341 )
Arcabit	Trojan.Generic.D1CB3C30
Baidu	Win32.Worm.AutoRun.bu
Cyren	W32/Renamer.D.gen!Eldorado
Symantec	W32.Tapin
ESET-NOD32	Win32/AutoRun.Delf.LV
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Virus.Tainp-1
Kaspersky	Virus.Win32.Renamer.j
BitDefender	Trojan.Generic.30096432
NANO-Antivirus	Virus.Win32.Renamer.lxyhd
ViRobot	Win32.Renamer.B
MicroWorld-eScan	Trojan.Generic.30096432
Avast	Win32:AutoRun-CWJ [Trj]
Tencent	Virus.Win32.Renamer.b
Ad-Aware	Trojan.Generic.30096432
Sophos	ML/PE-A + W32/Renamer-M
Comodo	TrojWare.Win32.Spy.E@4pfq97
DrWeb	Trojan.DownLoad4.10434
Zillya	Adware.BrowseFox.Win32.247786
TrendMicro	WORM_RENAMER.AD
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
FireEye	Generic.mg.f01f582a8ec6b760
Emsisoft	Trojan.Generic.30096432 (B)
Ikarus	Virus.Win32.Renamer
Jiangmin	Trojan/Genome.axcm
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan/Generic.ASBOL.51
Gridinsoft	Trojan.Win32.Delf.ko!s1
Microsoft	Virus:Win32/Grenam.B
GData	Trojan.Generic.30096432
TACHYON	Worm/W32.DP-Renamer.844288
AhnLab-V3	Win32/Unruy.H.X1603
Acronis	suspicious
ALYac	Trojan.Generic.30096432
MAX	malware (ai score=80)
VBA32	Virus.Renamer.13219

PLATBA-06-10-21.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All