Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 11, 2023, 7:38 a.m.	Sept. 11, 2023, 7:47 a.m.

Size	1.4MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`bca408ca8e4a4d10c877744bfb58b43f`
SHA256	`fbb1f62b75df3af3305a3bca694e4050dbd86718390db2f737a5db2d8cca96ee`
CRC32	`5E324269`
ssdeep	`24576:i/U/qOJD8wC779sjdllpjLEtJgIf1E+UR9t1S+qWXqyS56Pta2RjMb3lUS/cr:i/pewwmsffXd+Unt1KWXsGJVMb3lbo`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

QmapmAFtEUjYUodvdxV63DhsGuLq96iCMXuBvaGx2mhdpq.exe "C:\Users\test22\AppData\Local\Temp\QmapmAFtEUjYUodvdxV63DhsGuLq96iCMXuBvaGx2mhdpq.exe"
2656

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 11, 2023, 7:31 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x73995ac4 RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x76d54138 DotNetRuntimeDebugHeader-0x1e0f78 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x208028 @ 0x13f998028 DotNetRuntimeDebugHeader-0x1e0f78 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x208028 @ 0x13f998028 DotNetRuntimeDebugHeader-0x3e7fa0 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x1000 @ 0x13f791000 0x28bbc0 DotNetRuntimeDebugHeader-0x3e7fa0 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x1000 @ 0x13f791000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2683496 registers.rsi: 5359865856 registers.r10: 3221225785 registers.rbx: 5361991720 registers.rsp: 2685600 registers.r11: 8796092882944 registers.r8: 64 registers.r9: 1994816544 registers.rdx: 2684840 registers.r12: 0 registers.rbp: 8791776100352 registers.rdi: 5364288935 registers.rax: 2683176 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 11, 2023, 7:31 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtTerminateProcess+0x20 New_ntdll_NtTerminateThread-0x11a @ 0x73995ac4
RtlExitUserProcess+0x48 LdrShutdownProcess-0x68 ntdll+0x24138 @ 0x76d54138
DotNetRuntimeDebugHeader-0x1e0f78 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x208028 @ 0x13f998028
DotNetRuntimeDebugHeader-0x1e0f78 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x208028 @ 0x13f998028
DotNetRuntimeDebugHeader-0x3e7fa0 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x1000 @ 0x13f791000
0x28bbc0
DotNetRuntimeDebugHeader-0x3e7fa0 qmapmafteujyuodvdxv63dhsgulq96icmxubvagx2mhdpq+0x1000 @ 0x13f791000

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 2683496
registers.rsi: 5359865856
registers.r10: 3221225785
registers.rbx: 5361991720
registers.rsp: 2685600
registers.r11: 8796092882944
registers.r8: 64
registers.r9: 1994816544
registers.rdx: 2684840
registers.r12: 0
registers.rbp: 8791776100352
registers.rdi: 5364288935
registers.rax: 2683176
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00157e00', u'virtual_address': u'0x002ee000', u'entropy': 7.999763809817708, u'name': u'UPX1', u'virtual_size': u'0x00158000'}

entropy

7.99976380982

description

A section with a high entropy has been found

entropy

0.997823721436

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

QmapmAFtEUjYUodvdxV63DhsGuLq96iCMXuBvaGx2mhdpq

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All