Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 14, 2021, 5:17 p.m.	Oct. 14, 2021, 5:19 p.m.

Size	1.9MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`481cc004b81afcb1ec10bb9985cc402b`
SHA256	`589dcfea6f854dbc578b8fb3a4e65217137630f93cae05e3248942821947c02a`
CRC32	`A19F5B18`
ssdeep	`49152:utPKiXai6uqwoc8ZAgddkN9TD0GcIXfkRt2jN474os4:IB16uqwbGbduYKfWyNu4D`
Yara	Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

dow.exe "C:\Users\test22\AppData\Local\Temp\dow.exe"
2232

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001efc00', u'virtual_address': u'0x00002000', u'entropy': 7.999864782430742, u'name': u'.rdata', u'virtual_size': u'0x001efa87'}

entropy

7.99986478243

description

A section with a high entropy has been found

entropy

0.997986914947

description

Overall entropy of this PE file is high

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 14, 2021, 5:10 p.m.	process_identifier: 2072 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000002c	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 manipulating memory of non-child process 2072
NtAllocateVirtualMemory Oct. 14, 2021, 5:10 p.m.	process_identifier: 2072 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000000000002c	1	0	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.InjectNET.14
MicroWorld-eScan	Trojan.GenericKDZ.78431
FireEye	Generic.mg.481cc004b81afcb1
ALYac	Trojan.GenericKDZ.78431
Cylance	Unsafe
K7GW	Trojan ( 005886841 )
Arcabit	Trojan.Generic.D1325F
Cyren	W64/Donut.A.gen!Eldorado
ESET-NOD32	a variant of Win32/Agent_AGen.AP
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKDZ.78431
Avast	Win64:TrojanX-gen [Trj]
Tencent	Win32.Trojan.Generic.Pbfo
Ad-Aware	Trojan.GenericKDZ.78431
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Redcap.qhija
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.Agent (A)
Jiangmin	Trojan.Donut.hw
Avira	TR/Redcap.qhija
Antiy-AVL	Trojan/Win64.Donut
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKDZ.78431
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R444169
McAfee	Artemis!481CC004B81A
MAX	malware (ai score=81)
Malwarebytes	Trojan.Agent.Generic
eGambit	Unsafe.AI_Score_99%
Fortinet	W64/AgentAGen.AP!tr
AVG	Win64:TrojanX-gen [Trj]

dow.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All