Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 9, 2021, 6:38 p.m.	Nov. 9, 2021, 6:40 p.m.

Size	717.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`517b1aedc5ab6a19a134f50833d3c059`
SHA256	`83445f4b600c6400917320e91478b8d634213a814463b611f6904a213cdb1f7c`
CRC32	`2526CCF4`
ssdeep	`12288:SQlW92PdjP8Dvk+eynOZOgvWcTIEVfziUquNlFT8HEky9c1Rxp:SQlPPdjP8LkByOZmGIEFziU7N0H8Wv`
PDB Path	C:\ritifegu66\heked_vepayayemegi-63\kuyubesase\kijoxemivica.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

setup-1.0.2_win.exe "C:\Users\test22\AppData\Local\Temp\setup-1.0.2_win.exe"
2380

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\ritifegu66\heked_vepayayemegi-63\kuyubesase\kijoxemivica.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.venuz

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	CIDAFICUDUROSOTAROM
resource name	VESURAGOSAG
resource name	VIDIWAYAPENIGU
resource name	YONAMIKORUFENI

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 9, 2021, 6:38 p.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 507904 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d82000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Nov. 9, 2021, 6:38 p.m.	process_identifier: 2380 region_size: 872448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0009b200', u'virtual_address': u'0x00001000', u'entropy': 7.8497652850788295, u'name': u'.text', u'virtual_size': u'0x0009b142'}

entropy

7.84976528508

description

A section with a high entropy has been found

entropy

0.866620111732

description

Overall entropy of this PE file is high

setup-1.0.2_win.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All