popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

werfer.exe

Generic Malware UPX PE32 PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 17, 2021, 7:45 a.m. Nov. 17, 2021, 8:22 a.m.
Size 34.9KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c621ac54b1b9e74991047eb747c7c952
SHA256 ac33fef4a1fd900879b94ed718faae717c2a7fffe6f6b1f9974037b2c3462dab
CRC32 C7134674
ssdeep 768:Jfh3Vb2pFp5gjevguIqt2HTsUgkxOfz5zkRhM:J53Vb2pFp5gyoVqewWOfWY
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • UPX_Zero - UPX packed file
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73942000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b20000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00432000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0044c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00750000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00465000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00467000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Lionic Trojan.MSIL.Stealer.i!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.47405528
FireEye Trojan.GenericKD.47405528
McAfee GenericRXNL-FC!C621AC54B1B9
Cylance Unsafe
Alibaba Trojan:MSIL/DangerousSig.ebf3ecaa
K7GW Riskware ( 0040eff71 )
Cyren W32/MSIL_Kryptik.CKI.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.JKP
TrendMicro-HouseCall Trojan.MSIL.WOREFLINT.USMANKF21
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.MSIL.Stealer.gen
BitDefender Trojan.GenericKD.47405528
Ad-Aware Trojan.GenericKD.47405528
Sophos Mal/Generic-S
TrendMicro Trojan.MSIL.WOREFLINT.USMANKF21
McAfee-GW-Edition GenericRXNL-FC!C621AC54B1B9
Emsisoft Trojan.GenericKD.47405528 (B)
Ikarus Trojan-Downloader.MSIL.Discord
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft Trojan:MSIL/AgentTesla.SSS!MTB
GData Win32.Trojan.Agent.5IN11S
Malwarebytes Trojan.Downloader.MSIL.Generic
APEX Malicious
MAX malware (ai score=84)
Fortinet MSIL/Agent.JKP!tr.dldr
AVG Win32:DangerousSig [Trj]
Avast Win32:DangerousSig [Trj]
CrowdStrike win/malicious_confidence_80% (W)