popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

putty.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 20, 2023, 9:39 a.m. March 20, 2023, 10:13 a.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 503ad71c49fe0f7ad1a9fac50a6a3d66
SHA256 94734c499154c5dcc0c678e2ff3ee97ed627eaafc725dd71af725435e24b5bb6
CRC32 4EAD783C
ssdeep 24576:8LqHSHFpNBABT09QmydSOsMEKW/a0RIpXCWwCKDmQh3H9B1FlcacOui2ZWxNUC2H:0NBrK6vK3S8WHT1F1uv2NEXpKOYc
PDB Path C:\Yipotevi tijoked\yofe\Risi-lavicag yewige\Votor\kejeroso hixe fesa.pdb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
mbpt7jswbgqvk.yj7yhi0unk2ylqxqho6
IP Address Status Action
121.254.136.57 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path C:\Yipotevi tijoked\yofe\Risi-lavicag yewige\Votor\kejeroso hixe fesa.pdb
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1458176
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02320000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 3379200
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0c020000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000064
process_name: mobsync.exe
process_identifier: 2276
1 1 0

Process32NextW

 snapshot_handle: 0x00000064
process_name: putty.exe
process_identifier: 2616
1 1 0
section {u'size_of_data': u'0x00188000', u'virtual_address': u'0x00001000', u'entropy': 7.939512335238815, u'name': u'.text', u'virtual_size': u'0x00187ee0'} entropy 7.93951233524 description A section with a high entropy has been found
entropy 0.950303030303 description Overall entropy of this PE file is high
buffer Buffer with sha1: 8c5f2b5469e8ebf27c1502a7c82ce591b1b6a60b
host 121.254.136.57
MicroWorld-eScan Gen:Variant.Fragtor.234876
FireEye Generic.mg.503ad71c49fe0f7a
Malwarebytes MachineLearning/Anomalous.95%
Sangfor Trojan.Win32.Kryptik.V8hh
CrowdStrike win/malicious_confidence_90% (D)
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/GenKryptik.GHUE
Kaspersky UDS:DangerousObject.Multi.Generic
Rising Trojan.Strab!8.12D03 (TFE:5:iGNAP8e4kjN)
Trapmine malicious.moderate.ml.score
Ikarus Trojan.Crypter
Jiangmin Trojan.Slepak.cl
Google Detected
Microsoft Program:Win32/Wacapew.C!ml
Cynet Malicious (score: 100)
MAX malware (ai score=80)
VBA32 Malware-Cryptor.Limpopo
Cylance unsafe
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Kryptik.EFKJ!tr
AVG Win32:TrojanX-gen [Trj]
Avast Win32:TrojanX-gen [Trj]