Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 5, 2023, 8:27 a.m.	April 5, 2023, 8:29 a.m.

Size	288.3KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`2f5769f336565444ad1b4725b55d6dc9`
SHA256	`81ae9161203cc5f2412234090fd8f173881af882b7318f2110759941c67b8b9c`
CRC32	`1FB05D55`
ssdeep	`3072:RC0exSEsx8eB2YZN4y1c/8tzLm2cwrIXhKfZVIkKiRH3T5WPd2fxV:qE8eBp3cUBL7zrIXhMXIGRHsI`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
__exception__ April 5, 2023, 8:27 a.m.	stacktrace: photocopies+0x7e55 @ 0x407e55 photocopies+0xae39 @ 0x40ae39 exception.instruction_r: 35 01 00 c0 00 00 00 00 fc 1d 00 00 00 00 00 00 exception.instruction: xor eax, 0xc00001 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x18fe80 registers.esp: 1637440 registers.edi: 72 registers.eax: 4402 registers.ebp: 1638204 registers.edx: 262144 registers.ebx: 2535478 registers.esi: 4294650918 registers.ecx: 4402	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 5, 2023, 8:27 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 5, 2023, 8:27 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Local\Temp\iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: iCPVJT9Ww\Mw7MCq8vFe\sHVTRvuvote create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 4294967295 () share_access: 2 (FILE_SHARE_WRITE)		3221225530	0

section

{u'size_of_data': u'0x0002cc00', u'virtual_address': u'0x0001a000', u'entropy': 7.400899724869152, u'name': u'.data', u'virtual_size': u'0x0002d69c'}

entropy

7.40089972487

description

A section with a high entropy has been found

entropy

0.645045045045

description

Overall entropy of this PE file is high

Lionic	Trojan.Win32.Convagent.4!c
MicroWorld-eScan	Gen:Variant.Doina.54749
CAT-QuickHeal	Backdoor.Convagent
ALYac	Gen:Variant.Doina.54749
Malwarebytes	Trojan.Crypt
VIPRE	Gen:Variant.Doina.54749
K7AntiVirus	Trojan ( 0059fd251 )
Alibaba	Trojan:Win32/Strab.45cdd43f
K7GW	Trojan ( 0059fd251 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Doina.DD5DD
Cyren	W32/Convagent.CB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HSYN
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Doina.54749
Avast	Win32:CrypterX-gen [Trj]
Rising	Backdoor.Convagent!8.123DC (TFE:5:vbhNhfFnk7U)
Emsisoft	Gen:Variant.Doina.54749 (B)
F-Secure	Trojan.TR/AD.RedLineSteal.xuruc
TrendMicro	TrojanSpy.Win32.REDLINE.YXDC5Z
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.2f5769f336565444
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AD.RedLineSteal.xuruc
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Kryptik
Microsoft	Trojan:Win32/Redline.RWZ!MTB
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Gen:Variant.Doina.54749
Cynet	Malicious (score: 99)
McAfee	Artemis!2F5769F33656
VBA32	BScope.Trojan.Kryptik
Cylance	unsafe
Panda	Trj/Passtealer.R
TrendMicro-HouseCall	TrojanSpy.Win32.REDLINE.YXDC5Z
Tencent	Malware.Win32.Gencirc.10be8a39
Ikarus	Trojan.Win32.Crypt
MaxSecure	Trojan.W32.Strab.gen_260344
Fortinet	W32/Kryptik.HSYN!tr
AVG	Win32:CrypterX-gen [Trj]
DeepInstinct	MALICIOUS

Photocopies.exe