Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2023, 9:10 a.m.	May 24, 2023, 9:14 a.m.

Size	30.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`09716fd4d7ab6e6577fc038e56bec7d2`
SHA256	`0b4275e3f2d5d1189ed6e997fa4c74d35c479a9b220d5e58fab731d3df7627c1`
CRC32	`CD24FE76`
ssdeep	`196608:gD0BqGdgpQxUmLmER3RTsl/mfsD/eP6hcfA1f1YHY1VUX62uVDghPW:gDeJdUQpTBiNe69qeUPhe`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer Admin_Tool_IN_Zero - Admin Tool Sysinternals Antivirus - Contains references to security software

SAW_BYDESCONNET.exe "C:\Users\test22\AppData\Local\Temp\SAW_BYDESCONNET.exe"
840
- cmd.exe "C:\windows\system32\cmd.exe" /c md C:\SAW
  2084

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

packer

BobSoft Mini Delphi -> BoB / BobSoft

resource name

VCLSTYLE

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2023, 9:10 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

cmdline	c:\Windows\System32\cmd.exe /c md C:\SAW
cmdline	"C:\windows\system32\cmd.exe" /c md C:\SAW

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 24, 2023, 9:10 a.m.	show_type: 0 filepath_r: c:\windows\system32\cmd.exe parameters: /c md C:\SAW filepath: c:\Windows\System32\cmd.exe	1	1	0

Elastic	malicious (high confidence)
McAfee	Artemis!18D117AD3DBF
Zillya	Trojan.KillMBR.Win32.743
Sangfor	Trojan.Win32.Killmbr.Vbct
K7AntiVirus	Trojan ( 0059efd21 )
Alibaba	Trojan:Win32/KillMBR.81ffdd68
K7GW	Trojan ( 0059efd21 )
Cyren	W32/Trojan.VFBA-8001
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/KillMBR.NJW
Kaspersky	HEUR:Trojan.Win32.KillMBR.gen
NANO-Antivirus	Trojan.Win32.KillMBR.juoxqy
Avast	Win32:Malware-gen
Tencent	Malware.Win32.Gencirc.10bdaa53
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Redcap.sthcy
McAfee-GW-Edition	RDN/Generic.dx
Ikarus	Trojan.Win32.KillDisk
Avira	TR/Redcap.sthcy
Antiy-AVL	Trojan/Win32.Tiggre
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.KillMBR.gen
GData	Win32.Trojan.Agent.3V89P6
AhnLab-V3	Malware/Win.Generic.C5101502
VBA32	TScope.Trojan.Delf
Cylance	unsafe
Panda	Trj/Chgt.AD
Zoner	Trojan.Win32.85523
Rising	Trojan.Generic@AI.87 (RDML:qZivNsSaJy8XsQFA5FAZ3A)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.DU
AVG	Win32:Malware-gen
DeepInstinct	MALICIOUS

SAW_BYDESCONNET.exe