Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 14, 2024, 1:23 p.m.	Jan. 14, 2024, 1:27 p.m.

Size	13.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`4952f7d5dbfdd54e151d6cd75afcc930`
SHA256	`5027e50a930fe5890e729194116e23a12f3109606346941c6f932008fa1829f2`
CRC32	`E92F6B06`
ssdeep	`192:88EkmyjZ8fjTVfFaCZ7AamqnrAgVhl3Q5tfDXU/tr:8Cmy27jZ7AWR3e0r`
PDB Path	D:\æé¡¹å·¥å·åæ¾\åæ\viper\CallbackEnumChildWindows_1657683863\x64\Release\viper.pdb
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

winserver.exe "C:\Users\test22\AppData\Local\Temp\winserver.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
49.235.80.190	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\æé¡¹å·¥å·åæ¾\åæ\viper\CallbackEnumChildWindows_1657683863\x64\Release\viper.pdb

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 14, 2024, 1:23 p.m.	process_identifier: 2548 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 14, 2024, 1:23 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 14, 2024, 1:23 p.m.	process_identifier: 2548 region_size: 413696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001d42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Foreign language identified in PE resource (2 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4170156168, next used block 0

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000060f0

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000063d8

size

0x00000014

Communicates with host for which no DNS query was performed (1 event)

host

49.235.80.190

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

49.235.80.190:2367

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.Common.E21A115B
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Skyhigh	RDN/Generic Dropper
ALYac	Trojan.GenericKD.70777269
Cylance	unsafe
VIPRE	Trojan.GenericKD.70777269
Sangfor	Dropper.Win32.Agent.Vifj
BitDefender	Trojan.GenericKD.70777269
Arcabit	Trojan.Generic.D437F9B5
Symantec	ML.Attribute.HighConfidence
McAfee	RDN/Generic Dropper
Avast	Win64:DropperX-gen [Drp]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Trojan.GenericKD.70777269
Emsisoft	Trojan.GenericKD.70777269 (B)
TrendMicro	TROJ_GEN.R011C0PLM23
Sophos	Mal/Generic-S
Jiangmin	Trojan.Generic.hsbyw
Webroot	W32.Malware.Gen
Google	Detected
Antiy-AVL	Trojan/Win32.Agent
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.70777269
Varist	W64/ABRisk.SPAC-2977
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R011C0PLM23
MaxSecure	Trojan.Malware.7164915.susgen
Fortinet	PossibleThreat.MU
AVG	Win64:DropperX-gen [Drp]
CrowdStrike	win/malicious_confidence_90% (W)

winserver.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All