Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 21, 2022, 5:42 p.m.	Dec. 21, 2022, 5:48 p.m.

Size	207.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`7c151e9e14789c5fdb870541edd8a4e0`
SHA256	`13b97b388624af071d4a68e760f4f1b828c80e627ffdc39d06aacea317e49ade`
CRC32	`E44D91A7`
ssdeep	`6144:Izpmv19cF/p/uwONct43Ep/uwONct43T92USK:ym09pGHNu4UpGHNu4R2USK`
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

0f5e8774150b7f0120a47909d07dc909.exe "C:\Users\test22\AppData\Local\Temp\0f5e8774150b7f0120a47909d07dc909.exe"
2548
- 0f5e8774150b7f0120a47909d07dc909.exe "C:\Users\test22\AppData\Local\Temp\0f5e8774150b7f0120a47909d07dc909.exe" -h
  2660

Name	Response	Post-Analysis Lookup
xv.yxzgamen.com	A 104.21.27.36 A 172.67.141.51	104.21.27.36

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.141.51	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 21, 2022, 5:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 21, 2022, 5:42 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 21, 2022, 5:42 p.m.	stacktrace: 0f5e8774150b7f0120a47909d07dc909+0x18c3 @ 0xeb18c3 0f5e8774150b7f0120a47909d07dc909+0x1227 @ 0xeb1227 0f5e8774150b7f0120a47909d07dc909+0x1fe2 @ 0xeb1fe2 0f5e8774150b7f0120a47909d07dc909+0x293a @ 0xeb293a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 00 8b 00 8b 40 10 8b 55 20 8b 12 c7 44 24 14 exception.symbol: New___wmi___IWbemServices_ExecMethod@32+0x2a3 New___wmi___IWbemServices_ExecMethodAsync@28-0xde exception.instruction: mov eax, dword ptr [eax] exception.module: monitor-x86.dll exception.exception_code: 0xc0000005 exception.offset: 66639 exception.address: 0x734d044f registers.esp: 3602104 registers.edi: 4782276 registers.eax: 0 registers.ebp: 3602560 registers.edx: 3601796 registers.ebx: 0 registers.esi: 1937229608 registers.ecx: 2112880640	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://xv.yxzgamen.com/2203.html
request	GET http://xv.yxzgamen.com/logo.png

Foreign language identified in PE resource (31 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036110

size

0x00000128

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036398

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036398

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036398

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036398

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00036398

size

0x00000022

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\db.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\db.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001dc00', u'virtual_address': u'0x00019000', u'entropy': 7.253280171761942, u'name': u'.rsrc', u'virtual_size': u'0x0001e000'}

entropy

7.25328017176

description

A section with a high entropy has been found

entropy

0.577669902913

description

Overall entropy of this PE file is high

Checks for the presence of known windows from debuggers and forensic tools (2 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowW Dec. 21, 2022, 5:42 p.m.	class_name: ConsoleWindowClass window_name:	1	459128	0
FindWindowW Dec. 21, 2022, 5:42 p.m.	class_name: ConsoleWindowClass window_name:	1	196992	0

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod Dec. 21, 2022, 5:42 p.m.	inargs.CurrentDirectory: None inargs.CommandLine: rundll32.exe "C:\Users\test22\AppData\Local\Temp\db.dll",open inargs.ProcessStartupInformation: None flags: 0 method: Create class: Win32_Process	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Manuscrypt.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.64283876
ClamAV	Win.Dropper.Mokes-9905200-0
FireEye	Generic.mg.7c151e9e14789c5f
CAT-QuickHeal	Backdoor.Manuscrypt
McAfee	Artemis!7C151E9E1478
Cylance	Unsafe
VIPRE	Trojan.GenericKD.64283876
Sangfor	Downloader.Win32.Manuscrypt.Vpdm
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	Backdoor:Win32/Manuscrypt.1cea0956
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.560634
Cyren	W32/ABRisk.TGRO-4801
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.GPC
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Backdoor.Win32.Manuscrypt.cd
BitDefender	Trojan.GenericKD.64283876
Avast	Win32:DropperX-gen [Drp]
Tencent	Malware.Win32.Gencirc.10bdb34b
Ad-Aware	Trojan.GenericKD.64283876
Emsisoft	Trojan.GenericKD.64283876 (B)
F-Secure	Trojan.TR/Dldr.Agent.bdosp
TrendMicro	TROJ_GEN.R002C0DLE22
McAfee-GW-Edition	RDN/Generic BackDoor
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
Jiangmin	Backdoor.Manuscrypt.ai
Avira	TR/Dldr.Agent.bdosp
Antiy-AVL	Trojan/Win32.Sabsik
Kingsoft	Win32.Hack.Undef.(kcloud)
Microsoft	Trojan:Win32/Manuscrypt.NEAA!MTB
Gridinsoft	Ransom.Win32.Sabsik.sa
Arcabit	Trojan.Generic.D3D4E4E4
ZoneAlarm	Backdoor.Win32.Manuscrypt.cd
GData	Win32.Trojan.PSE.1W9RM85
Google	Detected
AhnLab-V3	Trojan/Win.Vigorf.C5326147
VBA32	BScope.Backdoor.Manuscrypt
ALYac	Trojan.GenericKD.64283876
MAX	malware (ai score=83)
Malwarebytes	Trojan.Downloader
TrendMicro-HouseCall	TROJ_GEN.R002C0DLE22
Rising	Backdoor.Manuscrypt!8.110D5 (TFE:5:jNquyQxW7cL)
Ikarus	Trojan-Downloader.Win32.Agent
Fortinet	W32/PossibleThreat

0f5e8774150b7f0120a47909d07dc909.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All