Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 26, 2023, 10:15 a.m.	June 26, 2023, 10:18 a.m.

Size	7.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`54e5447517c883ded154b44a07b4eb95`
SHA256	`f010440b7181758b2aa8a1698dcdec1ac0c322d518b6109917847744a1aa6775`
CRC32	`1172F5E0`
ssdeep	`196608:91OF/7aYMWsz9jqAfvpHFhpMvQa43vLxfPa0HL9d/:3OFpMWo08npMIaGv13a0HL9d/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

setup.exe "C:\Users\test22\AppData\Local\Temp\setup.exe"
1516
- Install.exe .\Install.exe
  2108
  - Install.exe .\Install.exe /S /site_id "385104"
    2188

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 26, 2023, 10:15 a.m.	computer_name: TEST22-PC	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sxdata

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\7zSC0CA.tmp\Install.exe
file	C:\Users\test22\AppData\Local\Temp\7zSC399.tmp\Install.exe

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 26, 2023, 10:15 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1495040 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW June 26, 2023, 10:15 a.m.	net_type: 0x00250000		1222	0

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67014900
ALYac	Trojan.GenericKD.67014900
Malwarebytes	Generic.Adware.Agent.DDS
VIPRE	Trojan.GenericKD.67014900
Sangfor	Adware.Win32.Neoreklami.Vjck
CrowdStrike	win/grayware_confidence_90% (W)
Alibaba	AdWare:Win32/Neoreklami.85e83e7e
Arcabit	Trojan.Generic.D3FE90F4
VirIT	Adware.Win32.Genus.TV
Cyren	W32/ABRisk.PTTF-8218
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Adware.Neoreklami.MS
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Dropper.Win32.Agent.texbum
BitDefender	Trojan.GenericKD.67014900
NANO-Antivirus	Trojan.Win32.Neoreklami.jwbgnw
Avast	Win32:Adware-gen [Adw]
Tencent	Win32.Trojan-Dropper.Agent.Icnw
Sophos	Generic Reputation PUA (PUA)
F-Secure	Heuristic.HEUR/AGEN.1317455
DrWeb	Trojan.DownLoader45.55262
TrendMicro	Trojan.Win32.AMADEY.YXDFYZ
McAfee-GW-Edition	BehavesLike.Win32.PUP.wc
Trapmine	malicious.moderate.ml.score
FireEye	Trojan.GenericKD.67014900
Emsisoft	Trojan.GenericKD.67014900 (B)
Ikarus	PUA.Neoreklami
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1317455
MAX	malware (ai score=81)
Antiy-AVL	GrayWare[AdWare]/Win32.Neoreklami
Gridinsoft	Trojan.Win32.Agent.cl
Xcitium	ApplicUnwnt@#1znuemq1ej2yk
Microsoft	Trojan:Win32/Casdet!rfn
ViRobot	Trojan.Win.Z.Neoreklami.7612985
ZoneAlarm	Trojan-Dropper.Win32.Agent.texbum
GData	Trojan.GenericKD.67014900
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5428228
McAfee	Artemis!54E5447517C8
VBA32	TrojanDropper.Agent
Cylance	unsafe
Panda	Trj/Agent.FUM
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDFYZ
Rising	Trojan.Sdum!8.1155F (TFE:2:grN22HR5FJE)
SentinelOne	Static AI - Suspicious SFX

setup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All