Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.18 04:01
svc.exe
01.18 04:01
RemittanceForms.exe
01.18 04:01
Aristois-Free.jar
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe
01.18 10:01
Updater.exe

Latest News
01.19 03:01
Putting Cheap Motorcyc...
01.19 03:01
Trump Will ‘Most Likel...
01.19 01:01
DOJ confirms arrested ...
01.19 12:01
Sicher und günstig: Sc...
01.19 12:01
Learn New Tools, or Ho...
01.18 10:01
Deutschland auf Platz ...
01.18 10:01
Suchmaschine: Google-S...
01.18 10:01
24H2: Microsoft drängt...
01.18 09:01
FBI Warned Agents It B...
01.18 09:01
JTAG & SWD Debuggi...

Summary | ZeroBOX

ReklamX.ps1

Hide_EXE Generic Malware Antivirus

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 4, 2023, 10:27 a.m.	Oct. 4, 2023, 10:29 a.m.

Size	257.2KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`2160e7fcf5819e58a56ff11da1573885`
SHA256	`e51cfc4ccf015ea240546459a25884b818594916e04d987c08fa5d2b2e12aa30`
CRC32	`FB385361`
ssdeep	`6144:gRtFGhfHHPwtLhanP7Kwd+ApMhfMWk/vGyYv/misXHAqyOd5MZL/Zw952lSS8oyb:gRtFGhfHHPwtLhanP7Kwd+ApMhfMWk/H`
Yara	hide_executable_file - Hide executable file

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\ReklamX.ps1
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return	Repeated
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Oct. 4, 2023, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050a8c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2023, 10:27 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06130000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 4, 2023, 10:27 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Symantec	Backdoor.ASync!gm
ESET-NOD32	PowerShell/Agent.ASK
TrendMicro-HouseCall	Backdoor.PS1.ASYNCRAT.YXDJCZ
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
Tencent	Win32.Trojan.Kryptik.Rsmw
F-Secure	Malware.VBS/PSRunner.VPI
TrendMicro	Backdoor.PS1.ASYNCRAT.YXDJCZ
Avira	VBS/PSRunner.VPI
MAX	malware (ai score=82)
Microsoft	Trojan:Script/Wacatac.B!ml
Gridinsoft	Trojan.U.AsyncRAT.bot
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
GData	Trojan.GenericKD.69561553
Rising	Trojan.Agent/PS!8.1331B (TOPIS:E0:xE9VmkmtpgQ)
Ikarus	Trojan.MSIL.Agent
AVG	Script:SNH-gen [Trj]