Summary | ZeroBOX

safevpn20.11342.2k.exe

Emotet Gen1 Suspicious_Script_Bin Generic Malware Malicious Library ASPack UPX Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE64 PE File OS Processor Check BMP Format ZIP Format DLL icon
Category Machine Started Completed
FILE s1_win7_x6401 July 23, 2023, 9:41 a.m. July 23, 2023, 9:47 a.m.
Size 28.8MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 6bafba4a43173045136e95abe78666e8
SHA256 922b4ec35337016f806c0d8d2b9ee75ce4f5db550f1fe1021b8836d13cbaf379
CRC32 BD253C82
ssdeep 786432:YqGlsyofwykqk/ql57FQ24HPgIbsorr4YJcyT0RG:nG2oyk7ylfQJPTICbJm
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE64 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • ASPack_Zero - ASPack packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .gfids
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2752
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002790000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fi\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\UrlSoceng.store
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ro\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\ca\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\ru\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\hu\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\a4b90990b418581487bb13a2cc67700a3c359804f91bdfb8e377cd0ec80ddc10.sth
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\is\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\ro\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\fil
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\zh_CN\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\tr\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\ca\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\hu\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\si\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\tr\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\fr
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\7605\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\28.0.0.137\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\fr\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\fil\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\c652a0ec48ceb3fcab170992c43a87413309e80065a26252401ba3362a17c565.sth
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\id\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths\68f698f81f6482be3a8ceeb9281d4cfc71515d6793d444d10a67acbb4f4ffbc4.sth
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ru
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fi\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\0.57.44.2492\_platform_specific\x86_64\pnacl_public_pnacl_json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ro
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fi\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\es_419\messages.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\is\
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxmsw30u_xrc_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxmsw30u_html_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\pythoncom37.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxbase30u_xml_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\pywintypes37.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxmsw30u_core_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\libcrypto-1_1-x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxbase30u_net_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxmsw30u_adv_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\libssl-1_1-x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\libopenblas.PYQHXLVVQ7VESDPUVUADXEVJOBGHJPAY.gfortran-win_amd64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\VCRUNTIME140.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\mfc140u.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\wxbase30u_vc140_x64.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\MSVCP140.dll
file C:\Users\test22\AppData\Local\Temp\_MEI26482\python37.dll
section {u'size_of_data': u'0x00010c00', u'virtual_address': u'0x00045000', u'entropy': 7.323356650772614, u'name': u'.rsrc', u'virtual_size': u'0x00010a58'} entropy 7.32335665077 description A section with a high entropy has been found
entropy 0.245421245421 description Overall entropy of this PE file is high
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Crypter reg_value C:\Users\test22\AppData\Local\Temp\safevpn20.11342.2k.exe
Elastic malicious (moderate confidence)
McAfee Artemis!6BAFBA4A4317
Cylance unsafe
VIPRE Generic.Ransom.PyCrypter.68AEBD21
K7AntiVirus Trojan ( 005850dc1 )
Alibaba Ransom:Win32/Filecoder.f5ab4f15
K7GW Trojan ( 005850dc1 )
Cybereason malicious.a43173
Symantec Trojan.Gen.MBT
ESET-NOD32 multiple detections
APEX Malicious
Cynet Malicious (score: 99)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Generic.Ransom.PyCrypter.68AEBD21
Avast FileRepMalware [Ransom]
Rising Ransom.PyCryptCfg/JSON!1.E129 (CLASSIC)
Emsisoft Generic.Ransom.PyCrypter.68AEBD21 (B)
F-Secure Heuristic.HEUR/AGEN.1319707
DrWeb Python.Encoder.28
TrendMicro TROJ_GEN.R002C0DGM23
McAfee-GW-Edition Python/Ransom.n
FireEye Generic.Ransom.PyCrypter.68AEBD21
Sophos Mal/Generic-S
GData Generic.Ransom.PyCrypter.68AEBD21
Avira HEUR/AGEN.1319707
MAX malware (ai score=88)
Arcabit Generic.Ransom.PyCrypter.68AEBD21
ZoneAlarm HEUR:Trojan-Ransom.Win32.Generic
Microsoft Trojan:Win32/Leonem
ALYac Generic.Ransom.PyCrypter.68AEBD21
Malwarebytes Generic.Malware/Suspicious
Panda Trj/RansomGen.A
TrendMicro-HouseCall TROJ_GEN.R002C0DGM23
Tencent Win32.Trojan-Ransom.Generic.Ckjl
Fortinet Python/Filecoder.EG!tr
AVG FileRepMalware [Ransom]
DeepInstinct MALICIOUS