Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 5, 2022, 9:49 a.m.	Dec. 5, 2022, 9:51 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d1e2721997a49175744d36d9eaa2a946`
SHA256	`d31658e0fec53c1d98100d576418bbd1c1d3da46ce4aeadc181827a63ccd973a`
CRC32	`2AFB70D9`
ssdeep	`24576:GRcq0pCim0ecOnj10vcmwvMP+JQt8mLkhAjl+ANnvddoeVdbx:G/i9inj1a9HRttLCAj1nFS+5x`
PDB Path	C:\Xiv quey\quokigew\Jipodew\qua.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

Name	Response	Post-Analysis Lookup
gem9twla6xbkkmlk0pnbh5yosth2xrxe.8mzefdh7t

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 5, 2022, 9:49 a.m.	computer_name: TEST22-PC	1	1	0

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 5, 2022, 9:49 a.m.			0	0

pdb_path

C:\Xiv quey\quokigew\Jipodew\qua.pdb

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 5, 2022, 9:49 a.m.	process_identifier: 2556 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 5, 2022, 9:49 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 5, 2022, 9:49 a.m.	process_identifier: 2556 region_size: 1175552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 5, 2022, 9:49 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 2859008 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0c9d0000 process_handle: 0xffffffff	1

section

{u'size_of_data': u'0x00135400', u'virtual_address': u'0x00001000', u'entropy': 7.983301508677345, u'name': u'.text', u'virtual_size': u'0x0013533b'}

entropy

7.98330150868

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002d400', u'virtual_address': u'0x00356000', u'entropy': 7.475655593850992, u'name': u'.rsrc', u'virtual_size': u'0x0002d340'}

entropy

7.47565559385

description

A section with a high entropy has been found

entropy

0.963970088375

description

Overall entropy of this PE file is high

buffer

Buffer with sha1: 455817761982f168e8d92ea0cc3159773974c0e2

Bkav	W32.AIDetect.malware2
McAfee	Artemis!D1E2721997A4
Malwarebytes	MachineLearning/Anomalous.97%
K7AntiVirus	Unwanted-Program ( 004d2a1d1 )
K7GW	Unwanted-Program ( 004d2a1d1 )
Elastic	malicious (high confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Generic@AI.84 (RDML:Untt50UqvF7oJgSiHEV1IQ)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Generic.mg.d1e2721997a49175
ZoneAlarm	UDS:DangerousObject.Multi.Generic
VBA32	BScope.TrojanDownloader.Zlob
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZexaF.36106.CvX@amLRCsOi

spacemen.exe