Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 29, 2024, 12:21 p.m.	March 29, 2024, 12:32 p.m.

Size	473.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`76df4a59b141eb56536805aa8c597c24`
SHA256	`dadff5f7199fd06f151dc1808c6a3e3a45447d19eb4f5639e47fe2f24cfd3b84`
CRC32	`4AA4910A`
ssdeep	`12288:eT1gXSplyLVb3UAE5oRIOhsqnHzDJzeoXRj1JVT:y1gXYlgID5oRhH9eW`
PDB Path	Reboot.pdb
Yara	Craxs_RAT - Craxs RAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

appdata.exe "C:\Users\test22\AppData\Local\Temp\appdata.exe"
940

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA March 29, 2024, 12:21 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 29, 2024, 12:21 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2024, 12:21 p.m.			0	0
IsDebuggerPresent March 29, 2024, 12:21 p.m.			0	0
IsDebuggerPresent March 29, 2024, 12:21 p.m.			0	0
IsDebuggerPresent March 29, 2024, 12:21 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA March 29, 2024, 12:21 p.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA March 29, 2024, 12:21 p.m.	buffer: System.MissingMethodException: Method not found: '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)'. at MSG_NET.Angelo.ReturnSpecialList() at MSG_NET.Angelo..ctor() at MSG_NET.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

Reboot.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 29, 2024, 12:21 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 29, 2024, 12:21 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00075a00', u'virtual_address': u'0x00002000', u'entropy': 7.970313012497091, u'name': u'.text', u'virtual_size': u'0x000758f4'}

entropy

7.9703130125

description

A section with a high entropy has been found

entropy

0.995767195767

description

Overall entropy of this PE file is high

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.72129319
Cylance	unsafe
VIPRE	Trojan.GenericKD.72129319
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005b36331 )
Alibaba	Trojan:MSIL/LummaC.06a7b46b
K7GW	Trojan ( 005b36331 )
VirIT	Trojan.Win32.GenusT.DVOY
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.GVJR
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
BitDefender	Trojan.GenericKD.72129319
MicroWorld-eScan	Trojan.GenericKD.72129319
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:5RtpVHdi13XtfAvrv69i0Q)
F-Secure	Trojan.TR/AD.GenSteal.euxfz
BitDefenderTheta	Gen:NN.ZemsilF.36802.Dm0@aK!GDgb
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.76df4a59b141eb56
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Avira	TR/AD.GenSteal.euxfz
MAX	malware (ai score=81)
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.ZgRAT.tr
Arcabit	Trojan.Generic.D44C9B27
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Trojan.GenericKD.72129319
Varist	W32/MSIL_Stealer.U.gen!Eldorado
AhnLab-V3	Trojan/Win.TrojanX-gen.C5605126
McAfee	Artemis!76DF4A59B141
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Malwarebytes	Trojan.Crypt.MSIL.Generic
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEC1Z
Tencent	Malware.Win32.Gencirc.1406d705
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/GenKryptik.GVHR!tr
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	Trojan[spy]:MSIL/Stealer.gen

appdata.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All