Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 20, 2023, 9:43 a.m.	Nov. 20, 2023, 9:47 a.m.

Size	7.6MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`5fe0d276069583d186448d4aaf9a2842`
SHA256	`abfae33792c8c075a2993310b182c0090ac9042481f1d7d10e3c72f5bba3680a`
CRC32	`F259ED37`
ssdeep	`196608:+EYS6g9qOshoKMuIkhVastRL5Di3uz1D7c03:FYSd8OshouIkPftRL54aRZ3`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Discord.exe "C:\Users\test22\AppData\Local\Temp\Discord.exe"
2072
- Discord.exe "C:\Users\test22\AppData\Local\Temp\Discord.exe"
  2184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 20, 2023, 9:36 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 20, 2023, 9:36 a.m.	stacktrace: 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 0x7fef7c97ef8 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x7fef7c97ef8 registers.r14: 0 registers.r15: 196974 registers.rcx: 196974 registers.rsi: 1 registers.r10: 196974 registers.rbx: 0 registers.rsp: 2194792 registers.r11: 0 registers.r8: 1 registers.r9: 0 registers.rdx: 28 registers.r12: 0 registers.rbp: 9737568 registers.rdi: 0 registers.rax: 2194896 registers.r13: 28	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 20, 2023, 9:36 a.m.

stacktrace:

0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8
0x7fef7c97ef8

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x7fef7c97ef8
registers.r14: 0
registers.r15: 196974
registers.rcx: 196974
registers.rsi: 1
registers.r10: 196974
registers.rbx: 0
registers.rsp: 2194792
registers.r11: 0
registers.r8: 1
registers.r9: 0
registers.rdx: 28
registers.r12: 0
registers.rbp: 9737568
registers.rdi: 0
registers.rax: 2194896
registers.r13: 28

Creates executable files on the filesystem (7 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI20722\rar.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI20722\VCRUNTIME140.dll

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Agent.tstc
MicroWorld-eScan	Trojan.GenericKD.70466482
FireEye	Trojan.GenericKD.70466482
Skyhigh	BehavesLike.Win64.Generic.wc
McAfee	Artemis!5FE0D2760695
Malwarebytes	Generic.Malware.Agent.DDS
Zillya	Trojan.Agent.Script.1743086
Alibaba	Packed:Win64/PyInstaller.074243eb
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/Packed.PyInstaller.L
Kaspersky	Trojan-Spy.Win32.Agent.dffz
BitDefender	Trojan.GenericKD.70466482
Avast	Win32:Agent-BDOJ [Trj]
Tencent	Win32.Trojan.Pyinstaller.Simw
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Spy.Agent.lwkun
DrWeb	Python.Muldrop.16
Emsisoft	Trojan.GenericKD.70466482 (B)
Jiangmin	Trojan.PSW.Python.ki
Webroot	W32.Adware.Gen
Google	Detected
Avira	TR/Spy.Agent.lwkun
Varist	W64/Agent.HHZ.gen!Eldorado
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win64/BlankGrabber!MSR
Gridinsoft	Trojan.Win64.Agent.sa
Arcabit	Trojan.Generic.D4333BB2
ZoneAlarm	Trojan-Spy.Win32.Agent.dffz
GData	Win64.Trojan.Agent.TCR5QI
Cynet	Malicious (score: 99)
AhnLab-V3	Malware/Win.Generic.C5544289
ALYac	Trojan.GenericKD.70454027
MAX	malware (ai score=81)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Spyware.Agent/PYC!1.EA8F (CLASSIC)
Ikarus	Trojan.Win64.Pyinstaller
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W64/PackedPyInstaller.L!tr
AVG	Win32:Agent-BDOJ [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

Discord.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All