Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 11, 2023, 10:51 p.m.	June 11, 2023, 11:31 p.m.

Size	3.7MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`ccf4763882256111f713d881ad7d9aa9`
SHA256	`59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7`
CRC32	`CFD65782`
ssdeep	`98304:o+bU8AtKpng3RiQT0Q9zc7J7MRNCwZMGzcf+UctPK0:o+bUVtKxg3RiQ7z0J7MuwDzcGUck`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE64 - (no description) MPRESS_Zero - MPRESS packed file PE_Header_Zero - PE File Signature

crona.exe "C:\Users\test22\AppData\Local\Temp\crona.exe"
1680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 11, 2023, 10:13 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895 stacktrace+0x84 memdup-0x1af @ 0x749a0470 hook_in_monitor+0x45 lde-0x133 @ 0x749942ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb crona+0x1fcb05 @ 0xa9cb05 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff 0x816fff exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77710895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2880552 registers.rsi: 17530880 registers.r10: 0 registers.rbx: 1996238576 registers.rsp: 2882808 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 2881896 registers.r12: 0 registers.rbp: 0 registers.rdi: 9044335 registers.rax: 2880232 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 11, 2023, 10:13 p.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb
crona+0x1fcb05 @ 0xa9cb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff
0x816fff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 2880552
registers.rsi: 17530880
registers.r10: 0
registers.rbx: 1996238576
registers.rsp: 2882808
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 2881896
registers.r12: 0
registers.rbp: 0
registers.rdi: 9044335
registers.rax: 2880232
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00376000', u'virtual_address': u'0x00001000', u'entropy': 7.999948854443531, u'name': u'.MPRESS1', u'virtual_size': u'0x00818000'}

entropy

7.99994885444

description

A section with a high entropy has been found

entropy

0.945823325327

description

Overall entropy of this PE file is high

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Lionic	Trojan.Win32.ClipBanker.Z!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.Generic.33908739
Malwarebytes	Trojan.LaplasClipper
Sangfor	Banker.Win32.Clipbanker.V4qz
K7AntiVirus	Trojan ( 005a4f031 )
K7GW	Trojan ( 005a4f031 )
Arcabit	Trojan.Generic.D2056803
Cyren	W64/ABRisk.OKVO-2090
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.Themida.PJ
APEX	Malicious
Kaspersky	Trojan-Banker.Win32.ClipBanker.ylu
BitDefender	Trojan.Generic.33908739
Avast	Win64:Trojan-gen
Tencent	Win32.Trojan-Banker.Clipbanker.Zwhl
Emsisoft	Trojan.Generic.33908739 (B)
F-Secure	Trojan.TR/Spy.Banker.hdfoe
DrWeb	Trojan.PWS.Stealer.35447
VIPRE	Trojan.Generic.33908739
TrendMicro	TROJ_GEN.R002C0XF923
McAfee-GW-Edition	BehavesLike.Win64.Generic.wc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ccf4763882256111
Sophos	Mal/Generic-S
Avira	TR/Spy.Banker.hdfoe
MAX	malware (ai score=85)
Antiy-AVL	Trojan[Packed]/Win64.Themida
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.ylu
GData	Win64.Trojan.Agent.G885X6
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.Generic.C5412061
McAfee	Artemis!CCF476388225
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0XF923
Rising	Trojan.ClipBanker!8.5FB (CLOUD)
Ikarus	Trojan.Win32.Generic
Fortinet	W32/PossibleThreat
AVG	Win64:Trojan-gen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

crona.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All