Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 23, 2023, 1:01 p.m.	March 23, 2023, 1:07 p.m.

Size	537.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f0a2d9e0876b2de2d5f5b7936a299e9f`
SHA256	`b58bb6c824428bcd5c0aa524de71455f92fb2d063eb94a86b74b99c39e151a0c`
CRC32	`ECF066E3`
ssdeep	`12288:e8WG7Smm7vPfLEzGljR+prwvpOXOJUzs+Qr:FwfozGlUmxO+JlD`
PDB Path	C:\cavodeyi\17\bimorupij\daca_nokujib2 fusujoxu.pdb
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

LowesDistillery.exe "C:\Users\test22\AppData\Local\Temp\LowesDistillery.exe"
800

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\cavodeyi\17\bimorupij\daca_nokujib2 fusujoxu.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 23, 2023, 1:01 p.m.	process_identifier: 800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 339968 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bec000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 23, 2023, 1:01 p.m.	process_identifier: 800 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00061a00', u'virtual_address': u'0x00001000', u'entropy': 7.925091411643854, u'name': u'.text', u'virtual_size': u'0x00061976'}

entropy

7.92509141164

description

A section with a high entropy has been found

entropy

0.727865796831

description

Overall entropy of this PE file is high

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Convagent.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.Siggen20.13578
MicroWorld-eScan	Gen:Variant.Mikey.145851
CAT-QuickHeal	Ransom.Stop.P5
McAfee	Artemis!F0A2D9E0876B
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 0056d16b1 )
Alibaba	Trojan:Win32/Kryptik.00bca450
K7GW	Trojan ( 0056d16b1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Mikey.D239BB
Cyren	W32/Kryptik.JFR.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HTBZ
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Backdoor.Win32.Mokes.gen
BitDefender	Gen:Variant.Mikey.145851
NANO-Antivirus	Trojan.Win32.Kryptik.jvgyjs
Avast	Win32:RansomX-gen [Ransom]
Tencent	Win32.Backdoor.Mokes.Dplw
Sophos	Troj/Krypt-VZ
F-Secure	Trojan.TR/Kryptik.avnqd
VIPRE	Gen:Variant.Mikey.145851
TrendMicro	TrojanSpy.Win32.REDLINE.YXDCTZ
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.hc
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.f0a2d9e0876b2de2
Emsisoft	Gen:Variant.Mikey.145851 (B)
Ikarus	Trojan-Ransom.GandCrab
Avira	TR/Kryptik.avnqd
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.GenKryptik
Gridinsoft	Ransom.Win32.Gen.bot
Microsoft	Trojan:Win32/Redline.GFV!MTB
ZoneAlarm	HEUR:Backdoor.Win32.Mokes.gen
GData	Gen:Variant.Mikey.145851
Google	Detected
AhnLab-V3	Trojan/Win.PWSX-gen.R564225
Acronis	suspicious
VBA32	BScope.Trojan.Denes
ALYac	Gen:Variant.Mikey.145851
Malwarebytes	Trojan.MalPack.GS
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDCTZ

LowesDistillery.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All