Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2024, 7:13 a.m.	April 3, 2024, 7:20 a.m.

Size	386.1KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`cfd2733ba128f49a373042a1a6c3fe19`
SHA256	`5d93c67ddde2e5fdc00a4e5777aa37d9ea4639227c633d044fb467b210640d28`
CRC32	`71A70700`
ssdeep	`12288:DHKzTnUs8oF7lWrf4p0fM5kzzLsK8Qll6V:DqzTUvEjCfMiHYMoV`
PDB Path	c:\9w7kjnhf\obj\Release\Laptop.pdb
Yara	Craxs_RAT - Craxs RAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

5.exe "C:\Users\test22\AppData\Local\Temp\5.exe"
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.92.242.200	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.242.200:3333 -> 192.168.56.101:49164	2400006	ET DROP Spamhaus DROP Listed Traffic Inbound group 7	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 3, 2024, 7:13 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 3, 2024, 7:13 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2024, 7:13 a.m.			0	0
IsDebuggerPresent April 3, 2024, 7:13 a.m.			0	0
IsDebuggerPresent April 3, 2024, 7:13 a.m.			0	0
IsDebuggerPresent April 3, 2024, 7:13 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA April 3, 2024, 7:13 a.m.	buffer: System.MissingMethodException: ???? ?? ? ????. '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)' ??: MSG_NET.Angelo.ReturnSpecialList() ??: MSG_NET.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\9w7kjnhf\obj\Release\Laptop.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2024, 7:13 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2024, 7:13 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005ae00', u'virtual_address': u'0x00002000', u'entropy': 7.994538605700393, u'name': u'.text', u'virtual_size': u'0x0005ad54'}

entropy

7.9945386057

description

A section with a high entropy has been found

entropy

0.993169398907

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

91.92.242.200

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Lumma.i!c
Elastic	malicious (high confidence)
Skyhigh	Artemis
Cylance	unsafe
VIPRE	Gen:Variant.Zusy.542885
Sangfor	Infostealer.Msil.Lumma.Vc8v
BitDefender	Gen:Variant.Zusy.542885
Arcabit	Trojan.Zusy.D848A5
VirIT	Trojan.Win32.Genus.VMB
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GVUB
McAfee	Artemis!CFD2733BA128
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-PSW.MSIL.Lumma.gen
Alibaba	Trojan:MSIL/Stealerc.307bfdff
MicroWorld-eScan	Gen:Variant.Zusy.542885
Rising	Stealer.Lumma!8.177F6 (CLOUD)
Emsisoft	Gen:Variant.Zusy.542885 (B)
F-Secure	Trojan.TR/AD.Nekark.hyisb
FireEye	Gen:Variant.Zusy.542885
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Krypt
Google	Detected
Avira	TR/AD.Nekark.hyisb
MAX	malware (ai score=89)
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:MSIL/Stealerc.AMMF!MTB
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Lumma.gen
GData	Win32.Trojan.Kryptik.R4DK0R
Varist	W32/MSIL_Kryptik.KTZ.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5606905
BitDefenderTheta	Gen:NN.ZemsilF.36802.ym2@auYXnOli
DeepInstinct	MALICIOUS
Panda	Trj/CI.A
TrendMicro-HouseCall	TrojanSpy.Win32.RHADAMANTHYS.YXEDBZ
Tencent	Malware.Win32.Gencirc.10bfcb5f
Fortinet	MSIL/GenKryptik.GVHR!tr
AVG	Win32:PWSX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan[stealer]:MSIL/Lumma.gen

5.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All