Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 17, 2023, 6:32 p.m.	Nov. 17, 2023, 6:49 p.m.

Size	6.9MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`55eba6afbb6a5123fb11252960424d3e`
SHA256	`34fb49847105091abefded78102a21b9242302b190d6a121df38e7a17d29e642`
CRC32	`CAD40961`
ssdeep	`98304:YGDjWM8JEE1r/amaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeROYKJJcGhEIFWG:YG0yeNTfm/pf+xk4dWROtrbWOjgdO`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) ASPack_Zero - ASPack packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Magma_Menu.exe "C:\Users\test22\AppData\Local\Temp\Magma_Menu.exe"
2560
- Magma_Menu.exe "C:\Users\test22\AppData\Local\Temp\Magma_Menu.exe"
  2668

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 17, 2023, 6:25 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 17, 2023, 6:25 p.m.	stacktrace: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefee9a278 TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefee9b394 SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefee7e1e2 TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefee64bcb TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefee65cc1 TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefee71ea4 TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefee680d4 TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefee680b2 TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefee67e07 TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefee67d44 RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x76d5b894 LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x76d54249 RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x76d54180 magma_menu+0x19ea1 @ 0x13f4f9ea1 magma_menu+0x19e6c @ 0x13f4f9e6c magma_menu+0xc194 @ 0x13f4ec194 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39 exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 exception.instruction: call qword ptr [rax + 0x18] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 303736 exception.address: 0x7fefee9a278 registers.r14: 0 registers.r15: 0 registers.rcx: 46183392 registers.rsi: 0 registers.r10: 1 registers.rbx: 0 registers.rsp: 2554464 registers.r11: 0 registers.r8: 2553056 registers.r9: 0 registers.rdx: 0 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1950540584 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 17, 2023, 6:25 p.m.

stacktrace:

CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278 @ 0x7fefee9a278
TF_IsCtfmonRunning+0x2f4 TF_RunInputCPL-0x1a19c msctf+0x4b394 @ 0x7fefee9b394
SetInputScope+0x4662 DllRegisterServer-0x10f5e msctf+0x2e1e2 @ 0x7fefee7e1e2
TF_GetInputScope+0x19f3 CtfImeDestroyThreadMgr-0x20a9 msctf+0x14bcb @ 0x7fefee64bcb
TF_GetInputScope+0x2ae9 CtfImeDestroyThreadMgr-0xfb3 msctf+0x15cc1 @ 0x7fefee65cc1
TF_CanUninitialize+0x74 CtfNotifyIME-0x1318 msctf+0x21ea4 @ 0x7fefee71ea4
TF_CleanUpPrivateMessages+0xf48 DllGetClassObject-0x514 msctf+0x180d4 @ 0x7fefee680d4
TF_CleanUpPrivateMessages+0xf26 DllGetClassObject-0x536 msctf+0x180b2 @ 0x7fefee680b2
TF_CleanUpPrivateMessages+0xc7b DllGetClassObject-0x7e1 msctf+0x17e07 @ 0x7fefee67e07
TF_CleanUpPrivateMessages+0xbb8 DllGetClassObject-0x8a4 msctf+0x17d44 @ 0x7fefee67d44
RtlProcessFlsData+0x84 LdrUnlockLoaderLock-0x7c ntdll+0x2b894 @ 0x76d5b894
LdrShutdownProcess+0xa9 NtdllDialogWndProc_W-0x43b ntdll+0x24249 @ 0x76d54249
RtlExitUserProcess+0x90 LdrShutdownProcess-0x20 ntdll+0x24180 @ 0x76d54180
magma_menu+0x19ea1 @ 0x13f4f9ea1
magma_menu+0x19e6c @ 0x13f4f9e6c
magma_menu+0xc194 @ 0x13f4ec194
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: ff 50 18 89 9e f8 08 00 00 48 3b fb 74 28 48 39
exception.symbol: CtfImeIsIME+0x8530 TF_IsCtfmonRunning-0xe28 msctf+0x4a278
exception.instruction: call qword ptr [rax + 0x18]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 303736
exception.address: 0x7fefee9a278
registers.r14: 0
registers.r15: 0
registers.rcx: 46183392
registers.rsi: 0
registers.r10: 1
registers.rbx: 0
registers.rsp: 2554464
registers.r11: 0
registers.r8: 2553056
registers.r9: 0
registers.rdx: 0
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1950540584
registers.r13: 0

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI25602\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI25602\rar.exe

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000b800', u'virtual_address': u'0x00046000', u'entropy': 7.946797785585829, u'name': u'.rsrc', u'virtual_size': u'0x0000b62c'}

entropy

7.94679778559

description

A section with a high entropy has been found

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Agent.Y!c
DrWeb	Python.Muldrop.18
MicroWorld-eScan	Trojan.GenericKD.70401900
Skyhigh	Artemis!Trojan
McAfee	GenericRXAA-AA!55EBA6AFBB6A
Malwarebytes	Generic.Malware.AI.DDS
VIPRE	Trojan.GenericKD.70401900
Alibaba	Packed:Win64/PyInstaller.49ed8663
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.PyInstaller.L
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Agent.dffz
BitDefender	Trojan.GenericKD.70401900
Avast	Win32:Agent-BDOJ [Trj]
Rising	Spyware.Agent/PYC!1.EA8F (CLASSIC)
Emsisoft	Trojan.GenericKD.70401900 (B)
F-Secure	Trojan.TR/Crypt.FKM.Gen
Zillya	Trojan.Pytr.Script.15
FireEye	Trojan.GenericKD.70401900
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Python.dm
Varist	W64/Agent.HHZ.gen!Eldorado
Avira	TR/Crypt.FKM.Gen
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Malware.Win64.Gen.bot
Arcabit	Trojan.Generic.D4323F6C
ZoneAlarm	Trojan-Spy.Win32.Agent.dffz
GData	Win64.Trojan.Agent.8COGF8
Google	Detected
ALYac	Trojan.GenericKD.70401900
Cylance	unsafe
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan.Pyinstaller.Cdhl
Ikarus	Trojan.Python.Agent
Fortinet	W64/PackedPyInstaller.L!tr
AVG	Win32:Agent-BDOJ [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Magma_Menu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All