Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 25, 2023, 10:50 a.m.	Oct. 25, 2023, 10:53 a.m.

Size	644.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6b99673a78e02bdd536e208b986c5b4d`
SHA256	`df47430551261ac10362ee18761e5ee30f18a009398d15280613d6e4ebe67a73`
CRC32	`3625C458`
ssdeep	`12288:KfXIxSd70IiBnYKIV3CusoszArC3T01R2rgqTgibxmAFNWURa:KcShc3k+Ewrbx33g`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

ImxyQs.exe "C:\Users\test22\AppData\Local\Temp\ImxyQs.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 25, 2023, 10:51 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 25, 2023, 10:51 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 25, 2023, 10:50 a.m.			0	0
IsDebuggerPresent Oct. 25, 2023, 10:50 a.m.			0	0
IsDebuggerPresent Oct. 25, 2023, 10:51 a.m.			0	0
IsDebuggerPresent Oct. 25, 2023, 10:51 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 25, 2023, 10:50 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:50 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 25, 2023, 10:51 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Trojan.Win32.Seraph.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoaderNET.829
MicroWorld-eScan	Trojan.GenericKD.69999681
FireEye	Trojan.GenericKD.69999681
Skyhigh	Artemis!Trojan
Cylance	unsafe
VIPRE	Trojan.GenericKD.69999934
Sangfor	Trojan.Msil.Kryptik.V699
BitDefender	Trojan.GenericKD.69999681
CrowdStrike	win/malicious_confidence_90% (W)
VirIT	Trojan.Win32.GenusT.DTFD
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AJYC
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Alibaba	Trojan:MSIL/Kryptik_AGen.249ee0bc
Rising	Downloader.Seraph!8.111C6 (CLOUD)
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Redcap.stiof
TrendMicro	Trojan.Win32.SMOKELOADER.YXDJXZ
Emsisoft	Trojan.GenericKD.69999681 (B)
SentinelOne	Static AI - Suspicious PE
GData	Trojan.GenericKD.69999681
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Redcap.stiof
MAX	malware (ai score=88)
Antiy-AVL	Trojan/MSIL.Kryptik
Gridinsoft	Ransom.Win32.Sabsik.sa
Xcitium	Malware@#2mp38058usrzs
Arcabit	Trojan.Generic.D42C1C41
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.Seraph.gen
Microsoft	Trojan:Win32/Znyonm
Varist	W32/ABRisk.RDTL-0456
McAfee	Artemis!6B99673A78E0
DeepInstinct	MALICIOUS
VBA32	Malware-Cryptor.MSIL.AgentTesla.Heur
Malwarebytes	Trojan.Downloader.MSIL.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXDJXZ
Tencent	Win32.Trojan.FalseSign.Kmnw
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.GFFH!tr
AVG	Win32:PWSX-gen [Trj]
Avast	Win32:PWSX-gen [Trj]

ImxyQs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All