Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.14 07:11
Former FTX Coder Wang ...
11.14 06:11
Jenkins security advis...
11.14 06:11
Nu Posts Record Return...
11.14 06:11
Cisco Gives Strong Rev...
11.14 06:11
US Accuses China of ‘B...
11.14 06:11
Landscape Motif Makes ...
11.14 05:11
Iranian threat group t...
11.14 05:11
Palo Alto Networks sec...
11.14 05:11
Agencies push for digi...
11.14 05:11
Statt Wechsel auf Wind...

Summary | ZeroBOX

scg.exe

Malicious Packer UPX Malicious Library PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 2, 2024, 7:17 a.m.	May 2, 2024, 7:20 a.m.

Size	6.8MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`9e5e6b8901f999088856e0eb04746864`
SHA256	`5579422f33e7ffecc0d8f51954a223f8a939c515f07c157221bea021fa492117`
CRC32	`E6803343`
ssdeep	`98304:3pAONHlGqrX/cjk0Kd3nzw0tcWPaWBzoct/ipANRxI1RvYN/gu1H:3pA+M2vok0KFnzw0tzPocBd6BggGH`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

scg.exe "C:\Users\test22\AppData\Local\Temp\scg.exe"
292

Name	Response	Post-Analysis Lookup
scll.netlify.com	A 18.139.194.139 A 46.137.195.11	18.139.194.139

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.137.195.11	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49161 46.137.195.11:443	None	None	None

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

The binary likely contains encrypted or compressed data indicative of a packer (8 events)

section

{u'size_of_data': u'0x00049e00', u'virtual_address': u'0x00517000', u'entropy': 7.996252195343117, u'name': u'/19', u'virtual_size': u'0x00049c1a'}

entropy

7.99625219534

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00013400', u'virtual_address': u'0x00561000', u'entropy': 7.939232357841458, u'name': u'/32', u'virtual_size': u'0x00013289'}

entropy

7.93923235784

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004a00', u'virtual_address': u'0x00575000', u'entropy': 7.963431437992627, u'name': u'/46', u'virtual_size': u'0x0000491d'}

entropy

7.96343143799

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00009a00', u'virtual_address': u'0x0057a000', u'entropy': 7.978878285369768, u'name': u'/63', u'virtual_size': u'0x0000980c'}

entropy

7.97887828537

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0009aa00', u'virtual_address': u'0x00585000', u'entropy': 7.998154239837883, u'name': u'/99', u'virtual_size': u'0x0009a8e8'}

entropy

7.99815423984

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00055600', u'virtual_address': u'0x00620000', u'entropy': 7.995732959717223, u'name': u'/112', u'virtual_size': u'0x00055573'}

entropy

7.99573295972

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001be00', u'virtual_address': u'0x00676000', u'entropy': 7.797639208087676, u'name': u'/124', u'virtual_size': u'0x0001bcb6'}

entropy

7.79763920809

description

A section with a high entropy has been found

entropy

0.216220109479

description

Overall entropy of this PE file is high

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress May 2, 2024, 7:17 a.m.	ordinal: 0 function_address: 0x000007fefe467a50 function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Scrop.b!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojandropper.Scrop
ALYac	Trojan.Generic.35738810
Cylance	unsafe
VIPRE	Trojan.Generic.35738810
Sangfor	Downloader.Win64.Scrop.Vqxk
BitDefender	Trojan.Generic.35738810
K7GW	Trojan-Downloader ( 0055fae71 )
K7AntiVirus	Trojan-Downloader ( 0055fae71 )
Arcabit	Trojan.Generic.D22154BA
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win64/TrojanDownloader.Agent.EV
APEX	Malicious
Avast	Win64:Malware-gen
Kaspersky	Trojan-Dropper.Win32.Scrop.altk
Alibaba	TrojanDropper:Win32/Scrop.98c75cf0
MicroWorld-eScan	Trojan.Generic.35738810
Emsisoft	Trojan.Generic.35738810 (B)
F-Secure	Trojan.TR/Dldr.Agent.iawam
Zillya	Dropper.Scrop.Win32.2709
TrendMicro	Trojan.Win32.SCROP.USBLDM24
FireEye	Trojan.Generic.35738810
Sophos	Mal/Generic-S
Ikarus	Trojan.Win64.Hershell
Google	Detected
Avira	TR/Dldr.Agent.iawam
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Dropper]/Win32.Scrop
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Ransom.Win64.Wacatac.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Trojan-Dropper.Win32.Scrop.altk
GData	Trojan.Generic.35738810
Varist	W64/ABRisk.BEWG-0320
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.SCROP.USBLDM24
Tencent	Malware.Win32.Gencirc.14096057
Fortinet	W64/Agent.EV!tr.dldr
AVG	Win64:Malware-gen
Paloalto	generic.ml
alibabacloud	Trojan[downloader]:Win/Agent.EY