Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 7, 2023, 9:13 a.m.	June 7, 2023, 9:15 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`85f723845b73f7791ecfc84bde974ef7`
SHA256	`e15df041092b52383517b47eae02f7e5f452b180dec8576f449cc582b62bcb57`
CRC32	`61168C6C`
ssdeep	`24576:wvYW8ajlsWzMs3JU7+FLj8eoF0mA88u4GtJM1pB1:wXlJzMs5Bhtmb8u4KU1`
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT PE_Header_Zero - PE File Signature IsPE32 - (no description)

ebc52250faaaa0e22efe35539b006ed25270d38e667b2a24dde25cede42afb4d.exe "C:\Users\test22\AppData\Local\Temp\ebc52250faaaa0e22efe35539b006ed25270d38e667b2a24dde25cede42afb4d.exe"
2652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 7, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 7, 2023, 9:13 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 9:13 a.m.			0	0
IsDebuggerPresent June 7, 2023, 9:13 a.m.			0	0
IsDebuggerPresent June 7, 2023, 9:13 a.m.			0	0
IsDebuggerPresent June 7, 2023, 9:13 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2023, 9:13 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:13 a.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00101400', u'virtual_address': u'0x00002000', u'entropy': 7.999426074361367, u'name': u'.text', u'virtual_size': u'0x00101344'}

entropy

7.99942607436

description

A section with a high entropy has been found

entropy

0.99806013579

description

Overall entropy of this PE file is high

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Scarsi.4!c
McAfee	Artemis!85F723845B73
Malwarebytes	Trojan.Downloader.MSIL.Generic
Sangfor	Suspicious.Win32.Save.a
Alibaba	Trojan:MSIL/Scarsi.c34a2aca
Cybereason	malicious.a8d1a8
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	MSIL.Downloader!gen7
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.PHI
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.Scarsi.gen
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan-Downloader.Ader.Nsmw
DrWeb	Trojan.DownloaderNET.644
TrendMicro	Trojan.Win32.AMADEY.YXDFFZ
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.85f723845b73f779
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.MSIL.Scarsi
Gridinsoft	Ransom.Win32.Gen.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan.MSIL.Scarsi.gen
VBA32	Downloader.MSIL.gen.rexp
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Downloader.Agent!8.B23 (CLOUD)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.PHI!tr.dldr
BitDefenderTheta	Gen:NN.ZemsilF.36250.bn2@aKbmWQf
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS

ebc52250faaaa0e22efe35539b006ed25270d38e667b2a24dde25cede42afb4d

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All