Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2023, 9:12 a.m.	April 13, 2023, 9:14 a.m.

Size	36.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`d06c243962c54d2763c2ffb8b16208e9`
SHA256	`9735de6f7e65882eb34df781669bda22ca6aaf86ffe1a23821a3d2951d27780d`
CRC32	`BD707E0B`
ssdeep	`384:rT9fLOVVThwgyO3MuGfJOtP2i1McPDd7MlSN7idOR5Zw7QSc:loCggJOt+i15Pp7nNGORvr`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software

（电-子--发-票）.exe "C:\Users\test22\AppData\Local\Temp\（电-子--发-票）.exe"
3000

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

Foreign language identified in PE resource (27 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006e80

size

0x00000428

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006d30

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006d30

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006d30

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006d30

size

0x00000128

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000072c8

size

0x00000222

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00007638

size

0x00000062

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00007638

size

0x00000062

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00008218

size

0x0000003a

name

RT_ACCELERATOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000074f0

size

0x00000070

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006e58

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00006e58

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000076a0

size

0x000002dc

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document text

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00007980

size

0x0000028b

name

None

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000072a8

size

0x0000001e

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (27 events)

Time & API	Arguments	Status	Return
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: smss.exe process_identifier: 228	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 740	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: SearchFilterHost.exe process_identifier: 2064	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: mobsync.exe process_identifier: 2460	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: tvnserver.exe process_identifier: 2584	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: pw.exe process_identifier: 2692	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: wsqmcons.exe process_identifier: 2744	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: sdclt.exe process_identifier: 2764	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: conhost.exe process_identifier: 2780	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: taskhost.exe process_identifier: 2824	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: cmd.exe process_identifier: 2928	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: conhost.exe process_identifier: 2940	1	1
Process32NextW April 13, 2023, 9:12 a.m.	snapshot_handle: 0x000000a8 process_name: pw.exe process_identifier: 3020	1	1

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.Agent.l9y2
MicroWorld-eScan	Trojan.GenericKD.66276452
FireEye	Trojan.GenericKD.66276452
McAfee	Artemis!D06C243962C5
Malwarebytes	Malware.AI.2080635735
K7AntiVirus	Trojan-Downloader ( 005a19c71 )
Alibaba	TrojanDownloader:Win32/Generic.abcd4cc0
K7GW	Trojan-Downloader ( 005a19c71 )
CrowdStrike	win/malicious_confidence_90% (W)
Arcabit	Trojan.Generic.D3F34C64
BitDefenderTheta	Gen:NN.ZexaF.36132.cq0@aKhXH5cb
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.GUA
Cynet	Malicious (score: 99)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Agent.gen
BitDefender	Trojan.GenericKD.66276452
Avast	Win32:Trojan-gen
Tencent	Win32.Trojan-Downloader.Oader.Hkjl
Emsisoft	Trojan.GenericKD.66276452 (B)
F-Secure	Trojan.TR/Dldr.Agent.tyixa
McAfee-GW-Edition	BehavesLike.Win32.Injector.nz
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Avira	TR/Dldr.Agent.tyixa
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Downloader]/Win32.Agent
Gridinsoft	Ransom.Win32.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ViRobot	Trojan.Win.Z.Agent.36864.XM
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Win32.Trojan.Agent.1GWZCU
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5404996
VBA32	BScope.TrojanPSW.Panda
Cylance	unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0DD623
Rising	Downloader.Agent!8.B23 (TFE:5:i0f1n8j0TET)
Ikarus	Trojan-Downloader.Win32.Agent
Fortinet	W32/Agent.GTJ!tr.dldr
AVG	Win32:Trojan-gen
DeepInstinct	MALICIOUS

（电-子--发-票）.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All