popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

New1.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 8, 2023, 11:04 a.m. March 8, 2023, 11:09 a.m.
Size 1.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0492a562ceee12e6db78b77aa191e267
SHA256 3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331
CRC32 9F07E7FB
ssdeep 49152:Qh4FhhuZD6yJ+aJLSHvg1+Bn3ceAhFkXXVS8DO2F4PNKscRDSsj5xjo0fc8VZK0R:RKze3ns8Cna
PDB Path C:\Notig\viyesi\kor kotejeja pijafepa.pdb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
jucfgmzjfizh.9m0zcqx1teoe7scwx
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\Notig\viyesi\kor kotejeja pijafepa.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1486848
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02100000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 2887680
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0ae50000
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_ARABIC filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_ARABIC_QATAR offset 0x003c1750 size 0x00000468
name RT_ICON language LANG_ARABIC filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_ARABIC_QATAR offset 0x003c1750 size 0x00000468
name RT_ICON language LANG_ARABIC filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_ARABIC_QATAR offset 0x003c1750 size 0x00000468
name RT_GROUP_ICON language LANG_ARABIC filetype data sublanguage SUBLANG_ARABIC_QATAR offset 0x003c1bb8 size 0x00000030
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000064
process_name: mobsync.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: wsqmcons.exe
process_identifier: 792
1 1 0
section {u'size_of_data': u'0x00192400', u'virtual_address': u'0x00001000', u'entropy': 7.906102845536625, u'name': u'.text', u'virtual_size': u'0x001922d0'} entropy 7.90610284554 description A section with a high entropy has been found
entropy 0.952071005917 description Overall entropy of this PE file is high
buffer Buffer with sha1: 64541cf2ea60e2fa8303d3777481daf66adcbfd9
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Gen:Variant.Tedy.307213
FireEye Generic.mg.0492a562ceee12e6
ALYac Gen:Variant.Tedy.307213
Malwarebytes Trojan.Crypt.Generic
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_70% (W)
Alibaba Malware:Win32/km_2c97b41.None
Arcabit Trojan.Tedy.D4B00D
BitDefenderTheta Gen:NN.ZexaE.36308.QvX@aSzV4hmG
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/GenKryptik.GHAA
Cynet Malicious (score: 100)
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Gen:Variant.Tedy.307213
Avast Win32:TrojanX-gen [Trj]
VIPRE Gen:Variant.Tedy.307213
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.moderate.ml.score
Emsisoft Gen:Variant.Tedy.307213 (B)
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.Gen
MAX malware (ai score=80)
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Casdet!rfn
ViRobot Trojan.Win.Z.Tedy.1736840
GData Gen:Variant.Tedy.307213
McAfee Artemis!0492A562CEEE
VBA32 BScope.TrojanSpy.Stealer
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002H0DC723
Rising Trojan.Undefined!8.1327C (TFE:5:k3h1PhqnxaE)
AVG Win32:TrojanX-gen [Trj]