Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 6:47 p.m.	Dec. 14, 2023, 6:52 p.m.

Size	417.6KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`9e3b880453d0f37e746383cdec335d56`
SHA256	`7c6bd535738cf0b1a2e8c259e52e271ee2199e22ae50ce311ff0809e237548d1`
CRC32	`29DBBFD5`
ssdeep	`6144:cwE/fpyH/VZ4NmAMS+vKnkZ2Rul2fKVu1iECHy3ivdmogOK52QU:cwIy4YwJkUIAiXmykBTU`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

fol2.exe "C:\Users\test22\AppData\Local\Temp\fol2.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 14, 2023, 6:40 p.m.	snapshot_handle: 0x000000000000003c process_name: sdclt.exe process_identifier: 2376	1	1
Process32NextW Dec. 14, 2023, 6:40 p.m.	snapshot_handle: 0x000000000000003c process_name: taskhost.exe process_identifier: 2384	1	1
Process32NextW Dec. 14, 2023, 6:40 p.m.	snapshot_handle: 0x000000000000003c process_name: conhost.exe process_identifier: 2600	1	1
Process32NextW Dec. 14, 2023, 6:40 p.m.	snapshot_handle: 0x000000000000003c process_name: schtasks.exe process_identifier: 2628	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 14, 2023, 6:40 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000005d0000 process_handle: 0xffffffffffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001a000', u'virtual_address': u'0x00004000', u'entropy': 7.989082375519677, u'name': u'.rdata', u'virtual_size': u'0x00019ef0'}

entropy

7.98908237552

description

A section with a high entropy has been found

entropy

0.28729281768

description

Overall entropy of this PE file is high

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W64.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.70769368
Cybereason	malicious.2653ae
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Kryptik.DSQ
APEX	Malicious
Avast	Win64:Evo-gen [Trj]
Kaspersky	Backdoor.Win64.Havoc.bmx
Alibaba	Trojan:Win64/Kryptik.cc829ece
Rising	Trojan.Kryptik!8.8 (TFE:5:AUiVxTm2GhT)
Emsisoft	Trojan.GenericKD.70769368 (B)
F-Secure	Trojan.TR/Kryptik.wswcx
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.9e3b880453d0f37e
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Crypt
Google	Detected
Avira	TR/Kryptik.wswcx
Antiy-AVL	Trojan/Win64.Kryptik
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Trojan.Win64.Kryptik.sa
Microsoft	Trojan:Win32/ScarletFlash.A
ZoneAlarm	Backdoor.Win64.Havoc.bmx
GData	Win64.Trojan.Agent.OTDV9M
Varist	W64/ABRisk.XTHD-8440
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DLD23
Tencent	Win32.Trojan.FalseSign.Ztjl
SentinelOne	Static AI - Malicious PE
Fortinet	W64/Kryptik.DSQ!tr
AVG	Win64:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

fol2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All