Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 28, 2023, 1:43 p.m.	May 28, 2023, 2:30 p.m.

Size	2.6MB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`08419affda8d3d7d65ff3897e726a819`
SHA256	`de6a560027e629ce8cfa000fd84a7d0daa1fffb37c9365bd6737f1a92f57dad3`
CRC32	`2AF5BB21`
ssdeep	`49152:TC2GwK7QTl7G98P8S6bYW5u4AwWAGADe4IugQDBaWpYls8/X+JSQuYHuOjwaWfDu:TmwFG9Ch6bY83AwbGAPDgQtaLX+JSQuG`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Library_Zero - Malicious_Library Is_DotNET_EXE - (no description) hide_executable_file - Hide executable file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

Azure_Cracked.exe "C:\Users\test22\AppData\Local\Temp\Azure_Cracked.exe"
2040

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 28, 2023, 1:43 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 28, 2023, 1:43 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 28, 2023, 1:43 p.m.			0	0
IsDebuggerPresent May 28, 2023, 1:43 p.m.			0	0
IsDebuggerPresent May 28, 2023, 1:43 p.m.			0	0
IsDebuggerPresent May 28, 2023, 1:43 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA May 28, 2023, 1:43 p.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA May 28, 2023, 1:43 p.m.	buffer: System.Runtime.InteropServices.COMException: Record not found on lookup. (Exception from HRESULT: 0x80131130) console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 28, 2023, 1:43 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0068a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 28, 2023, 1:43 p.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00286200', u'virtual_address': u'0x00002000', u'entropy': 7.887840003128443, u'name': u'.text', u'virtual_size': u'0x002860e4'}

entropy

7.88784000313

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00008000', u'virtual_address': u'0x0028a000', u'entropy': 7.86487970960429, u'name': u'.rsrc', u'virtual_size': u'0x00007e38'}

entropy

7.8648797096

description

A section with a high entropy has been found

entropy

0.999808941536

description

Overall entropy of this PE file is high

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

MicroWorld-eScan	Gen:Variant.Tedy.295151
ALYac	Gen:Variant.Tedy.295151
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.V57u
Alibaba	Packed:MSIL/DotNetGuard.c227319c
Cybereason	malicious.4cbe70
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Packed.DotNetGuard.A suspicious
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Agent.a
BitDefender	Gen:Variant.Tedy.295151
Emsisoft	Gen:Variant.Tedy.295151 (B)
DrWeb	Trojan.PWS.Stealer.29975
VIPRE	Gen:Variant.Tedy.295151
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
FireEye	Generic.mg.08419affda8d3d7d
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.Tedy.295151
Gridinsoft	Suspicious.XOR_Encoded.bot!yf
Arcabit	Trojan.Tedy.D480EF
ZoneAlarm	UDS:Trojan.Win32.Agent.a
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
McAfee	Artemis!08419AFFDA8D
MAX	malware (ai score=86)
VBA32	Worm.Bundpil
Malwarebytes	Malware.AI.645246570
TrendMicro-HouseCall	TROJ_GEN.R014H09ER23
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Azure_Cracked.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All