Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 28, 2023, 1:42 p.m.	May 28, 2023, 2:20 p.m.

Size	4.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`20004dea61cdb68d6b89a9d0690434cd`
SHA256	`78c6ae28110bc8236e3ffcba0cd76e889a91f8ca76ff2699691dba040c92f313`
CRC32	`6ABBB347`
ssdeep	`98304:SJ40m7FgKc3JDoHbkLMwmyw7D25WU4YN1LH1q4FBQbQIWf158QfG9qgOVnl9o:SJ7mKKmDoydwvYx1LHMuQbQIWIxQgOX9`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

77c43f7e.exe "C:\Users\test22\AppData\Local\Temp\77c43f7e.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.Q@5
section	.s;*
section	.Gmu

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 28, 2023, 1:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00310000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004f57e0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004f57e0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004f57e0

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004f5c48

size

0x00000030

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 28, 2023, 1:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00310000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x0001ee00', u'virtual_address': u'0x00009000', u'entropy': 7.99850557022659, u'name': u'.rdata', u'virtual_size': u'0x0001ec20'}

entropy

7.99850557023

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00064a00', u'virtual_address': u'0x00028000', u'entropy': 7.999574933422978, u'name': u'.data', u'virtual_size': u'0x00064808'}

entropy

7.99957493342

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00254a00', u'virtual_address': u'0x0008d000', u'entropy': 7.939581552533181, u'name': u'.Q@5', u'virtual_size': u'0x0025482f'}

entropy

7.93958155253

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0020a000', u'virtual_address': u'0x002e3000', u'entropy': 7.973305817447732, u'name': u'.Gmu', u'virtual_size': u'0x00209e10'}

entropy

7.97330581745

description

A section with a high entropy has been found

entropy

0.98687586343

description

Overall entropy of this PE file is high

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Aezku.4!c
Cynet	Malicious (score: 99)
McAfee	Artemis!20004DEA61CD
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vf52
Alibaba	Packed:Win32/VMProtect.bdfb3311
Cybereason	malicious.a61cdb
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
MicroWorld-eScan	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
Avast	FileRepMalware [Misc]
Ad-Aware	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
Emsisoft	Gen:Trojan.Heur.FU.@J0@aeZkU4mj (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen3
VIPRE	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
TrendMicro	Trojan.Win32.AMADEY.YXDE1Z
McAfee-GW-Edition	BehavesLike.Win32.Generic.rc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.20004dea61cdb68d
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
GData	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
Webroot	W32.Malware.Gen
Avira	TR/Crypt.XPACK.Gen3
Kingsoft	malware.kb.a.991
Arcabit	Trojan.Heur.FU.EF293E
Microsoft	Trojan:Win32/Casdet!rfn
ALYac	Gen:Trojan.Heur.FU.@J0@aeZkU4mj
MAX	malware (ai score=89)
Malwarebytes	Malware.AI.4236652816
Rising	Trojan.Generic@AI.100 (RDML:t32SZVxCYrc8q1ldg63XGA)
Ikarus	Win32.Outbreak
BitDefenderTheta	AI:Packer.7AA4CA7420
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

77c43f7e.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All