Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 4, 2023, 5:11 p.m.	April 4, 2023, 5:19 p.m.

Size	385.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7b789842cbf26efdbe8a0c4d33a1745d`
SHA256	`e5feb52b6df5e2c861badea1ad91c4841a3c61478c8734c91e6941c8bc2f4be8`
CRC32	`D750F527`
ssdeep	`6144:DZ0bnEWkGcIB06DWVcTD9icclND7ttBSkwavuozh3j2RvzlFOGwTfm:DZKnEWeIBvEcTEc8DDBPwDUivz3Im`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

ContinentGroufs.exe "C:\Users\test22\AppData\Local\Temp\ContinentGroufs.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	ROVOJIMINO
resource name	SIGUJIMABAKEKOREM
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 4, 2023, 5:11 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ccc000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 4, 2023, 5:11 p.m.	process_identifier: 2548 region_size: 307200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002e600', u'virtual_address': u'0x0001d000', u'entropy': 7.972718409904456, u'name': u'.data', u'virtual_size': u'0x02759f68'}

entropy

7.9727184099

description

A section with a high entropy has been found

entropy

0.483072916667

description

Overall entropy of this PE file is high

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Zenpak.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.98396
ClamAV	Win.Dropper.Tofsee-9994349-0
FireEye	Generic.mg.7b789842cbf26efd
CAT-QuickHeal	Ransom.Stop.P5
ALYac	Trojan.GenericKDZ.98396
Cylance	unsafe
Zillya	Trojan.Kryptik.Win32.4104090
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a175e1 )
Alibaba	Trojan:Win32/Zenpak.7e2b3c33
K7GW	Trojan ( 005a175e1 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/Kryptik.JGG.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Kryptik.HTDQ
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
BitDefender	Trojan.GenericKDZ.98396
NANO-Antivirus	Trojan.Win32.Stealer.jvhfzo
Avast	Win32:RansomX-gen [Ransom]
Tencent	Win32.Trojan.Zenpak.Rsmw
Emsisoft	Trojan.GenericKDZ.98396 (B)
F-Secure	Trojan.TR/AD.RedLineSteal.npjpi
DrWeb	Trojan.PWS.Stealer.35775
VIPRE	Trojan.GenericKDZ.98396
TrendMicro	TROJ_GEN.R03BC0DCU23
McAfee-GW-Edition	BehavesLike.Win32.Lockbit.fc
Trapmine	malicious.high.ml.score
Sophos	Troj/Krypt-WE
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanSpy.Stealer.aglx
Avira	TR/AD.RedLineSteal.npjpi
Antiy-AVL	Trojan[Backdoor]/MSIL.Convagent
Microsoft	Trojan:Win32/SmokeLoader.CR!MTB
Gridinsoft	Ransom.Win32.STOP.dd!n
Arcabit	Trojan.Generic.D1805C
ViRobot	Trojan.Win.Z.Agent.394240.H
ZoneAlarm	HEUR:Trojan.Win32.Zenpak.gen
GData	Win32.Trojan.PSE.10H93EF
Google	Detected
AhnLab-V3	Malware/Win.Generic.C5400546
McAfee	Artemis!7B789842CBF2
MAX	malware (ai score=84)
VBA32	Malware-Cryptor.Azorult.gen

ContinentGroufs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All