popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

New1.exe

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 13, 2023, 9:39 a.m. March 13, 2023, 9:42 a.m.
Size 1.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1cc0a962c3a1ff3a4adbdcaa49809867
SHA256 28bb20329cf6024057a4834e899520a55dcc7bb6b22ad783069ab2d1e2124e82
CRC32 A1395A22
ssdeep 49152:e0lrax49sKfUSM27mNWx9J7ZfCzOrUhzW:HdXv76GJZfSA
PDB Path C:\Bebiheti\Yobapa\vekapod vig\Pequihe quab.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
exk9exbuwdyozmvw7yiqfrm5jvip.eivhiuszk8nidhlks0dxtvdz9
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\Bebiheti\Yobapa\vekapod vig\Pequihe quab.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1421312
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00810000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 2764800
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0b070000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000068
process_name: mobsync.exe
process_identifier: 2292
1 1 0

Process32NextW

 snapshot_handle: 0x00000068
process_name: wsqmcons.exe
process_identifier: 2364
1 1 0

Process32NextW

 snapshot_handle: 0x00000068
process_name: sdclt.exe
process_identifier: 2388
1 1 0

Process32NextW

 snapshot_handle: 0x00000068
process_name: New1.exe
process_identifier: 2564
1 1 0
section {u'size_of_data': u'0x00179200', u'virtual_address': u'0x00001000', u'entropy': 7.955287945345839, u'name': u'.text', u'virtual_size': u'0x00179157'} entropy 7.95528794535 description A section with a high entropy has been found
entropy 0.960828025478 description Overall entropy of this PE file is high
buffer Buffer with sha1: 64541cf2ea60e2fa8303d3777481daf66adcbfd9
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Jaik.128687
FireEye Generic.mg.1cc0a962c3a1ff3a
Cylance unsafe
Sangfor Trojan.Win32.Save.a
BitDefenderTheta Gen:NN.ZexaF.36308.IvX@a0mDL3oi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.GHIS
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky VHO:Trojan.Win32.Strab.gen
BitDefender Gen:Variant.Jaik.128687
Emsisoft Gen:Variant.Jaik.128687 (B)
Trapmine malicious.moderate.ml.score
ZoneAlarm VHO:Trojan.Win32.Strab.gen
GData Gen:Variant.Jaik.128687
Google Detected
MAX malware (ai score=83)
VBA32 Malware-Cryptor.Limpopo
Malwarebytes MachineLearning/Anomalous.95%
Ikarus Trojan-Ransom.Cerber