Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 29, 2023, 7:38 a.m.	June 29, 2023, 7:46 a.m.

Size	6.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`1fcbbe11c8004a763d0ea4944b92444b`
SHA256	`999260c0faffc38eb04d9cc07bdddb441f2d315eae34b7842c95a7076eaeb65b`
CRC32	`97BAEBD2`
ssdeep	`196608:/aR1FdQmRJ8dA6lXCy1ArqkVpKCX+PrF4ZIeghAE0iGVV:M1FdQuslXrAZYCuPJOIegiE1`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) PE_Header_Zero - PE File Signature

u3jHBdYzXMviLak.exe "C:\Users\test22\AppData\Local\Temp\u3jHBdYzXMviLak.exe"
2080
- u3jHBdYzXMviLak.exe "C:\Users\test22\AppData\Local\Temp\u3jHBdYzXMviLak.exe"
  2264

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 29, 2023, 7:38 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 29, 2023, 7:38 a.m.	stacktrace: 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x7fef7c97ef8 registers.r14: 0 registers.r15: 196972 registers.rcx: 196972 registers.rsi: 1 registers.r10: 196972 registers.rbx: 0 registers.rsp: 3173160 registers.r11: 0 registers.r8: 1 registers.r9: 0 registers.rdx: 28 registers.r12: 0 registers.rbp: 9278688 registers.rdi: 0 registers.rax: 3173264 registers.r13: 28	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 29, 2023, 7:38 a.m.

stacktrace:

0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x7fef7c97ef8
registers.r14: 0
registers.r15: 196972
registers.rcx: 196972
registers.rsi: 1
registers.r10: 196972
registers.rbx: 0
registers.rsp: 3173160
registers.r11: 0
registers.r8: 1
registers.r9: 0
registers.rdx: 28
registers.r12: 0
registers.rbp: 9278688
registers.rdi: 0
registers.rax: 3173264
registers.r13: 28

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\_MEI20802\Invoice1436.pdf

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20802\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20802\python310.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20802\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20802\_pytransform.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20802\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20802\libcrypto-1_1.dll

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Elastic	malicious (moderate confidence)
FireEye	Generic.mg.1fcbbe11c8004a76
Sangfor	Trojan.Win32.Save.a
ESET-NOD32	Python/Agent.AAC
Cynet	Malicious (score: 100)
ClamAV	Win.Keylogger.Python-9978779-0
Avast	Win64:Malware-gen
McAfee-GW-Edition	BehavesLike.Win64.Generic.vc
Microsoft	Trojan:Win32/Sonbokli.A!cl
Google	Detected
AVG	Win64:Malware-gen
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (D)

u3jHBdYzXMviLak.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All