Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.21 02:11
Detecting Pacific Rim ...
11.21 02:11
Senate Hearing Highlig...
11.21 02:11
Over 21K Equinox patie...
11.21 02:11
Misconfigured Jupyter ...
11.21 02:11
Meow, INC Ransom gangs...
11.21 02:11
Alleged Finastra breac...
11.21 02:11
Progress Kemp LoadMast...
11.21 02:11
GAO finds gaps in TSA'...
11.21 02:11
IT Sicherheitsnews stü...
11.21 02:11
Don't Get In the Way o...

Summary | ZeroBOX

winbox.exe

Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 18, 2021, 1:58 p.m.	Nov. 18, 2021, 2:01 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`d6b53ece8c20cf28f16303c1e79bd51c`
SHA256	`6f1aca95db1e7e20fada011cb594fd2aa32665003df111413f8de351cf9bc211`
CRC32	`81CE10A0`
ssdeep	`49152:C3/YW2+3loiYH+hTg2KKU9RgH5ND0R5MCjA+M:C3/z2qii7CjA+M`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

winbox.exe "C:\Users\test22\AppData\Local\Temp\winbox.exe"
2148

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2021, 1:58 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 1:58 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

STRING

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 18, 2021, 1:58 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74622000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 18, 2021, 1:58 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c3000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 18, 2021, 1:58 p.m.	flags: 16 family: 2	1	0	0