Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
05.05 11:05
University of Alberta....
05.05 07:05
no-login.b3167651.svg
05.05 06:05
a-gif.4d7662a.png
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.05 12:05
Synaptics.exe
05.04 10:05
mediacje.png
05.04 10:05
Portal orzeczeń - Sąd ...

Latest News
05.06 08:05
Tech’s Strong Earnings...
05.06 08:05
DoorDash Buys SevenRoo...
05.06 08:05
Improving Flying Drone...
05.06 08:05
Proactive threat hunti...
05.06 08:05
AMD, Arm Offer Window ...
05.06 08:05
Entra ID Data Protecti...
05.06 07:05
오케이오아시스, 전문가용 고사양 노트북 ...
05.06 07:05
Lampion Is Back With C...
05.06 07:05
Grubhub Owner Wonder T...
05.06 07:05
WiseTech’s White Takes...

Summary | ZeroBOX

malwr.exe

Generic Malware Malicious Library UPX Malicious Packer PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 6, 2023, 11:57 a.m.	May 6, 2023, 12:01 p.m.

Size	10.6MB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`c2db1e38863cc1bd9fefc90a7d9ae083`
SHA256	`b4b838326d85f36eda68227b6aa7cb6c052a62f8c08c19fa65e705925f9a3a58`
CRC32	`A1DEAEFC`
ssdeep	`196608:uN3BHnYqBfKV3IU25SynlGTGdJBgJOG1O:oHfBOID5Synwid3gJV4`
Yara	UPX_Zero - UPX packed file IsPE64 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Generic_Malware_Zero - Generic Malware

malwr.exe "C:\Users\test22\AppData\Local\Temp\malwr.exe"
2076

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 Encrypt mode console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 > Encrypting ./FXSAPIDebugLogFile.txt console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 remove ./FXSAPIDebugLogFile.txt: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 > Encrypting ./Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571-MSI_netfx_FullLP_x64.msi.txt console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 > Encrypting ./Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html console_handle: 0x000000000000000b	1	1	0
WriteConsoleW May 6, 2023, 11:57 a.m.	buffer: 2023/05/06 11:57:19 > Encrypting ./Microsoft .NET Framework 4.5 Setup_20200715_141303844-MSI_netfx_Full_x64.msi.txt console_handle: 0x000000000000000b	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00079c00', u'virtual_address': u'0x0084d000', u'entropy': 7.995828260506113, u'name': u'/19', u'virtual_size': u'0x00079a51'}

entropy

7.99582826051

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00018200', u'virtual_address': u'0x008c7000', u'entropy': 7.937268238064064, u'name': u'/32', u'virtual_size': u'0x000181e6'}

entropy

7.93726823806

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000d7800', u'virtual_address': u'0x008e1000', u'entropy': 7.998211842110992, u'name': u'/65', u'virtual_size': u'0x000d77ed'}

entropy

7.99821184211

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00081400', u'virtual_address': u'0x009b9000', u'entropy': 7.997537061981059, u'name': u'/78', u'virtual_size': u'0x0008132c'}

entropy

7.99753706198

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0002ce00', u'virtual_address': u'0x00a3b000', u'entropy': 7.822606107936475, u'name': u'/90', u'virtual_size': u'0x0002cd4f'}

entropy

7.82260610794

description

A section with a high entropy has been found

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

McAfee	Artemis!C2DB1E38863C
Paloalto	generic.ml
Kaspersky	Trojan.Win32.DelShad.lha
Avast	Win64:Evo-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win64.Trojan.vh
Sophos	Mal/Generic-S
Webroot	W32.Ransom.Gen
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan.Win32.DelShad.lha
Malwarebytes	Ransom.Hansomware
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	Malicious_Behavior.SB
AVG	Win64:Evo-gen [Trj]
DeepInstinct	MALICIOUS

Appends a known Locky ransomware file extension to files that have been encrypted (3 events)

file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571.html.zepto
file	C:\Users\test22\AppData\Local\Temp\Microsoft .NET Framework 4.5 KOR Language Pack Setup_20200715_141443571-MSI_netfx_FullLP_x64.msi.txt.zepto
file	C:\Users\test22\AppData\Local\Temp\FXSAPIDebugLogFile.txt.zepto

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress May 6, 2023, 11:57 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0