Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 2, 2021, 11:38 a.m.	Nov. 2, 2021, 11:44 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`353bbe59184e2235c71991c24de394d9`
SHA256	`458b8d841b5edb574a9ebfb6e3ad1d6a92b53dd2b0ecb12e4471328bfce73dda`
CRC32	`41956DB2`
ssdeep	`24576:rFT8JX3rtOfzZLZfpXbjBE4OykY4B+SwL2tmoRJo4MXLQ8vx2JaS2Crpc+Wa1It:RnzZjj9UIS3tjAGJ11I`
Yara	Malicious_Packer_Zero - Malicious Packer Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

AAAA.exe "C:\Users\test22\AppData\Local\Temp\AAAA.exe"
2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
182.162.106.104	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 2, 2021, 11:38 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 11:38 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.itext
section	.didata

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 2, 2021, 11:38 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cf2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 2, 2021, 11:38 a.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x0018650c

size

0x00000ea8

name

RT_GROUP_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x001952cc

size

0x00000014

name

RT_MANIFEST

language

LANG_KOREAN

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_KOREAN

offset

0x001952e0

size

0x00000244

Communicates with host for which no DNS query was performed (1 event)

host

182.162.106.104

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.353bbe59184e2235
Cylance	Unsafe
Sangfor	Virus.Win32.Save.a
K7AntiVirus	Trojan ( 7000000f1 )
K7GW	Trojan ( 7000000f1 )
BitDefenderTheta	Gen:NN.ZelphiF.34236.IPW@aC7JA@dO
ESET-NOD32	a variant of Win32/Urelas.BF
Ikarus	Hoax.Win32.ArchSMS
Avira	TR/Crypt.XPACK.Gen8
Cynet	Malicious (score: 99)
VBA32	TScope.Trojan.Delf
Malwarebytes	MachineLearning/Anomalous.100%
Rising	Malware.Heuristic!ET#81% (RDMK:cmRtazrNSf5uBJB4GPVqpnKebXtL)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Urelas.BF!tr
Cybereason	malicious.99fd27

AAAA.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All