Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 5, 2021, 6:26 p.m.	Nov. 5, 2021, 6:28 p.m.

Size	6.9MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`d8cf58004f66339acefc2b6f1c6ecdc8`
SHA256	`8ff340bd6201a5fe37594d4c5257729d42a9030a22566999b123a7f2c783590b`
CRC32	`F6986BDC`
ssdeep	`196608:FLvl5PCjXPPMGHMZnliZSBqmBPkShDyE8:j5Pks6MZnmSUm2Shk`
Yara	IsPE64 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

mi1_yjdzfg.exe "C:\Users\test22\AppData\Local\Temp\mi1_yjdzfg.exe"
2808

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 5, 2021, 6:26 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.rrt0
section	.rrt1

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 5, 2021, 6:26 p.m.	stacktrace: exception.instruction_r: 90 68 be 1f 98 86 e8 fe ba 09 00 68 54 79 75 3d exception.instruction: nop exception.module: mi1_yjdzfg.exe exception.exception_code: 0x80000004 exception.offset: 11372072 exception.address: 0xed8628 registers.r14: 0 registers.r15: 0 registers.rcx: 256 registers.rsi: 0 registers.r10: -1983518080 registers.rbx: 0 registers.rsp: 1244960 registers.r11: 84 registers.r8: 655420 registers.r9: 43840 registers.rdx: 41 registers.r12: 0 registers.rbp: 1244976 registers.rdi: 0 registers.rax: 959918909 registers.r13: 0	1	0	0
__exception__ Nov. 5, 2021, 6:26 p.m.	stacktrace: RtlUnwindEx+0x1e1 RtlRaiseException-0xd8f ntdll+0x187d1 @ 0x774787d1 VerSetConditionMask+0x7f4 DbgPrint-0xcc ntdll+0x157c4 @ 0x774757c4 RtlDecodePointer+0xbd NtdllDefWindowProc_W-0x139f ntdll+0x29d0d @ 0x77489d0d RtlUnwindEx+0xbbf RtlRaiseException-0x3b1 ntdll+0x191af @ 0x774791af New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x740c6df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x774b1278 exception.instruction_r: 48 8b 00 4a 89 44 cd 78 48 83 85 98 00 00 00 08 exception.symbol: RtlUnwindEx+0x1e1 RtlRaiseException-0xd8f ntdll+0x187d1 exception.instruction: mov rax, qword ptr [rax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 100305 exception.address: 0x774787d1 registers.r14: 429503414320 registers.r15: 15481540334649395 registers.rcx: 0 registers.rsi: 33495998976491630 registers.r10: 0 registers.rbx: 32369935857352819 registers.rsp: 1246592 registers.r11: 1239520 registers.r8: 0 registers.r9: 5 registers.rdx: 2001076224 registers.r12: 28710924373393519 registers.rbp: 32651513917341807 registers.rdi: 29555246219788404 registers.rax: 32651513917341807 registers.r13: 32088572553658445	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x006e9400', u'virtual_address': u'0x0053f000', u'entropy': 7.9389071188960845, u'name': u'.rrt1', u'virtual_size': u'0x006e923c'}

entropy

7.9389071189

description

A section with a high entropy has been found

entropy

0.999858717152

description

Overall entropy of this PE file is high

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Lionic	Trojan.Multi.Generic.4!c
Cybereason	malicious.73ad48
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of Win64/Packed.VMProtect.NM
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
FireEye	Generic.mg.d8cf58004f66339a
Sophos	Mal/Generic-S
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft	Trojan.Heur!.02296123
Microsoft	Trojan:Win32/Tnega!ml
Cynet	Malicious (score: 100)
McAfee	Artemis!D8CF58004F66
Cylance	Unsafe
eGambit	Unsafe.AI_Score_80%
CrowdStrike	win/malicious_confidence_70% (W)

mi1_yjdzfg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All