Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 11, 2024, 7:33 a.m.	Jan. 11, 2024, 7:35 a.m.

Size	424.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`42d990690985f79c5f131af8cb5f9fdb`
SHA256	`f1f32b6e13d2ee1678899aab184161b51b0c06df57719a85f9be5a8823c604b6`
CRC32	`C6A89378`
ssdeep	`12288:0ODGxaUjJcgL1r8xcWSmyD5MecKRjYKkJj6GmZU:06UEXSmQ5tJZYb6nZ`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals UPX_Zero - UPX packed file

santa.exe "C:\Users\test22\AppData\Local\Temp\santa.exe"
1072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 11, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 11, 2024, 7:33 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636532 registers.edi: 3031328 registers.eax: 1636532 registers.ebp: 1636612 registers.edx: 0 registers.ebx: 3031328 registers.esi: 3031328 registers.ecx: 2	1	0	0

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_Process

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 11, 2024, 7:33 a.m.	process_identifier: 1072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00590000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00029000', u'virtual_address': u'0x00041000', u'entropy': 7.868441250204723, u'name': u'.rsrc', u'virtual_size': u'0x00028f40'}

entropy

7.8684412502

description

A section with a high entropy has been found

entropy

0.390476190476

description

Overall entropy of this PE file is high

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Dacic.i!c
MicroWorld-eScan	Generic.Dacic.DF6F27E2.A.F9135100
Skyhigh	BehavesLike.Win32.Triusor.gh
McAfee	Artemis!42D990690985
Cylance	unsafe
VIPRE	Generic.Dacic.DF6F27E2.A.F9135100
Sangfor	Suspicious.Win32.Save.vb
K7AntiVirus	NetWorm ( 700000151 )
Alibaba	TrojanPSW:Win32/DarkCloud.9fdd2df3
K7GW	NetWorm ( 700000151 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Generic.Dacic.DF6F27E2.A.F9135100
BitDefenderTheta	Gen:NN.ZevbaF.36680.Am0@auFAknii
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.DarkCloud
ESET-NOD32	a variant of Win32/Spy.VB.OLN
APEX	Malicious
ClamAV	Win.Malware.Dacic-10015827-0
Kaspersky	Trojan-PSW.Win32.DarkCloud.op
BitDefender	Generic.Dacic.DF6F27E2.A.F9135100
Avast	Win32:SpywareX-gen [Trj]
Tencent	Malware.Win32.Gencirc.11b9f80d
Emsisoft	Generic.Dacic.DF6F27E2.A.F9135100 (B)
F-Secure	Trojan.TR/VB.Downloader.Gen
DrWeb	Trojan.PWS.DarkCloud.1
Zillya	Trojan.VB.Win32.1701513
TrendMicro	TROJ_GEN.R002C0DKK23
Sophos	Mal/Generic-S
Ikarus	Trojan-Spy.Win32.VB
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/VB.Downloader.Gen
Varist	W32/VBKrypt.BIU.gen!Eldorado
Antiy-AVL	Trojan[Spy]/Win32.VB.oln
Kingsoft	Win32.HeurC.KVM006.a
Gridinsoft	Worm.Win32.Dorkbot.rc!n
Microsoft	Trojan:Win32/DarkCloudStealer.SE!MTB
ZoneAlarm	Trojan-PSW.Win32.DarkCloud.op
GData	Win32.Trojan-Stealer.DarkCloud.A
Cynet	Malicious (score: 99)
AhnLab-V3	Trojan/Win.PWS.R562305
VBA32	Malware-Cryptor.VB.gen.1
Malwarebytes	Malware.AI.2695249165
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R002C0DKK23
Rising	Spyware.VB!8.226 (TFE:4:sprh2mJu3xO)
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.220845324.susgen
Fortinet	W32/Injector.ERUA!tr

santa.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All