Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 30, 2024, 7:32 a.m.	April 30, 2024, 7:34 a.m.

Size	194.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6fd558cf3add096970e15d1e62ca1957`
SHA256	`41e187191625d749b89a11bc04fc0b2a3b9bd638035d05b39365c47ab36d1898`
CRC32	`591FC4F3`
ssdeep	`3072:n6glyuxE4GsUPnliByocWepMhJL4BFkTGX:n6gDBGpvEByocWeyhJL4UK`
Yara	BlackMatter_Ransomware_IN - BlackMatter Ransomware PE_Header_Zero - PE File Signature IsPE32 - (no description)

lb.exe "C:\Users\test22\AppData\Local\Temp\lb.exe"
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2024, 7:32 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000a000', u'virtual_address': u'0x0001b000', u'entropy': 7.986669783715182, u'name': u'.data', u'virtual_size': u'0x0000adc8'}

entropy

7.98666978372

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000a00', u'virtual_address': u'0x00026000', u'entropy': 7.3371310664441465, u'name': u'.pdata', u'virtual_size': u'0x0000088e'}

entropy

7.33713106644

description

A section with a high entropy has been found

entropy

0.219638242894

description

Overall entropy of this PE file is high

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lockbit.tsu4
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Lockbit.S29768538
Skyhigh	BehavesLike.Win32.Infected.ch
ALYac	Trojan.Ransom.LockBit
Cylance	unsafe
VIPRE	Trojan.Ransom.PIC
Sangfor	Ransom.Win32.Save.LockBit30
BitDefender	Trojan.Ransom.PIC
K7GW	Trojan ( 005b2d561 )
K7AntiVirus	Trojan ( 005b2d561 )
Arcabit	Trojan.Ransom.PIC
VirIT	Ransom.Win32.LockBit.GEN
Symantec	Trojan.Emotet
Elastic	Windows.Ransomware.Lockbit
ESET-NOD32	a variant of Win32/Filecoder.BlackMatter.O
APEX	Malicious
McAfee	GenericRXVB-PR!6FD558CF3ADD
Avast	Win32:Evo-gen [Trj]
ClamAV	Win.Ransomware.BlackMatter-9965914-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Ransom:Win32/Lockbit.1600cb1f
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Trojan.Ransom.PIC
Rising	Ransom.LockBit!1.DFDC (CLASSIC)
Emsisoft	Trojan.Ransom.PIC (B)
F-Secure	Backdoor.BDS/ZeroAccess.Gen7
DrWeb	Trojan.Encoder.38845
Zillya	Trojan.Filecoder.Win32.26912
TrendMicro	Ransom_Lockbit.R06FC0DDQ24
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.6fd558cf3add0969
Sophos	Troj/Lockbit-W
Ikarus	Trojan-Ransom.LockBit
Jiangmin	Trojan.Crypmodng.cd
Webroot	W32.Ransom.Lockbit
Google	Detected
Avira	BDS/ZeroAccess.Gen7
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.LockBit
Kingsoft	malware.kb.a.999
Gridinsoft	Ransom.Win32.LockBit.tr
Microsoft	Ransom:Win32/Lockbit.AK!ibt
ViRobot	Trojan.Win.Z.Ransom.199168.B
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.Ransom.PIC
Varist	W32/ABRisk.PFJA-5603
AhnLab-V3	Trojan/Win.Kryptik.R646105

lb.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All