Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 10, 2023, 7:41 a.m.	Oct. 10, 2023, 7:43 a.m.

Size	408.5KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`243b6e0960e9d3b63d924ba0c2b8a6fd`
SHA256	`c37725f3d841f41890fc017839a9f3af2a84e76ca7b154276c59329b68c18cd8`
CRC32	`8E86579E`
ssdeep	`6144:QmjZ2yJsYCT2MghUSa3vRLb5oBtDeBaYYEIO9A/xVxaS2ZbcD:NjQyJsYMVSa/RLb5oAYEV9AJVx`
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE64 - (no description) OS_Processor_Check_Zero - OS Processor Check

udat1.exe "C:\Users\test22\AppData\Local\Temp\udat1.exe"
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 10, 2023, 7:34 a.m.	stacktrace: 0x540003 exception.instruction_r: 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 exception.instruction: add byte ptr [rbx], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x540003 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 5250029 registers.rbx: 0 registers.rsp: 1244120 registers.r11: 1244064 registers.r8: 31 registers.r9: -76843841185972498 registers.rdx: 165088 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 5505024 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 10, 2023, 7:34 a.m.	process_identifier: 2560 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Oct. 10, 2023, 7:34 a.m.	process_identifier: 2560 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000540000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0001e600', u'virtual_address': u'0x00021000', u'entropy': 7.134588847567097, u'name': u'.rdata', u'virtual_size': u'0x0001e5fa'}

entropy

7.13458884757

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00026600', u'virtual_address': u'0x00040000', u'entropy': 7.6173295886386345, u'name': u'.data', u'virtual_size': u'0x000274b8'}

entropy

7.61732958864

description

A section with a high entropy has been found

entropy

0.674846625767

description

Overall entropy of this PE file is high

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W64.AIDetectMalware
FireEye	Generic.mg.243b6e0960e9d3b6
McAfee	Artemis!243B6E0960E9
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
TrendMicro	TrojanSpy.Win64.VIDAR.YXDJIZ
McAfee-GW-Edition	BehavesLike.Win64.BumbleBee.gc
Trapmine	suspicious.low.ml.score
Antiy-AVL	Trojan/Win64.GenKryptik
Kingsoft	malware.kb.a.988
Gridinsoft	Spy.Win64.Vidar.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
TrendMicro-HouseCall	TrojanSpy.Win64.VIDAR.YXDJIZ
SentinelOne	Static AI - Suspicious PE
Cybereason	malicious.8823f8
DeepInstinct	MALICIOUS

udat1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All