Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2023, 5:32 p.m.	April 18, 2023, 5:36 p.m.

Size	2.6MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`2775771aca8f5cdb689354532eba3109`
SHA256	`2494df92fe8d29c53db5479ceb92a48604bcacf4cafc3ccda97092cffef2b78a`
CRC32	`96B33A13`
ssdeep	`49152:XkTCqhlmC6N/BV4wuEmLcE2gS085h0FbTNxKW6mLhnUYMhHQOzVhdPfVXA3:w9hij4aHtgS08r0FPNp6mZmH3zVhRh6`
Yara	UPX_Zero - UPX packed file MPRESS_Zero - MPRESS packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature

okes.exe "C:\Users\test22\AppData\Local\Temp\okes.exe"
2624

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 18, 2023, 5:32 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb okes+0x1fcb05 @ 0x36cb05 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0 okes+0x720fff @ 0x890fff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0 okes+0x892000 @ 0xa02000 okes+0x1000 @ 0x171000 okes+0x71ec29 @ 0x88ec29 0x7fffffdf000 okes+0x893085 @ 0xa03085 0x7fffffdf000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 13824392 registers.rsi: 10493952 registers.r10: 0 registers.rbx: 1992371952 registers.rsp: 13826712 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 13825736 registers.r12: 0 registers.rbp: 0 registers.rdi: 1507695 registers.rax: 13824072 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 18, 2023, 5:32 p.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb
okes+0x1fcb05 @ 0x36cb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
okes+0x720fff @ 0x890fff
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
okes+0x892000 @ 0xa02000
okes+0x1000 @ 0x171000
okes+0x71ec29 @ 0x88ec29
0x7fffffdf000
okes+0x893085 @ 0xa03085
0x7fffffdf000

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 13824392
registers.rsi: 10493952
registers.r10: 0
registers.rbx: 1992371952
registers.rsp: 13826712
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 13825736
registers.r12: 0
registers.rbp: 0
registers.rdi: 1507695
registers.rax: 13824072
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00290c00', u'virtual_address': u'0x00001000', u'entropy': 7.999915092613073, u'name': u'.MPRESS1', u'virtual_size': u'0x00892000'}

entropy

7.99991509261

description

A section with a high entropy has been found

entropy

0.9963967381

description

Overall entropy of this PE file is high

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.Win32.ClipBanker.Z!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Trojan.GenericKD.66360346
CAT-QuickHeal	Trojan.Win64
McAfee	Artemis!2775771ACA8F
VIPRE	Trojan.GenericKD.66360346
Alibaba	TrojanBanker:Win32/ClipBanker.65cbb955
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win64/Packed.Themida.OY
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Banker.Win32.ClipBanker.xtr
BitDefender	Trojan.GenericKD.66360346
Avast	Win64:MalwareX-gen [Trj]
Rising	Trojan.ClipBanker!8.5FB (CLOUD)
Emsisoft	Trojan.GenericKD.66360346 (B)
F-Secure	Trojan.TR/Spy.Banker.npwou
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.2775771aca8f5cdb
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
GData	Trojan.GenericKD.66360346
Avira	TR/Spy.Banker.npwou
Gridinsoft	Ransom.Win64.Wacatac.sa
Arcabit	Trojan.Generic.D3F4941A
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.xtr
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ALYac	Trojan.GenericKD.66360346
MAX	malware (ai score=87)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0CDD23
Tencent	Win32.Trojan.FalseSign.Gtgl
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/PossibleThreat
AVG	Win64:MalwareX-gen [Trj]
DeepInstinct	MALICIOUS

okes.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All