popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

win.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 6, 2024, 4:49 p.m. May 6, 2024, 4:56 p.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5 8a2a16720871904c285e2365f4169602
SHA256 650b17ad2f6690a4eb33f57ce5589b85a42faef17366b755f4e5e6d831ff8df2
CRC32 C32068AB
ssdeep 49152:eDmghls3y1+XfWL6Vcp5/n6GFvBWA3xHEJi6LRXgje:Mmghls5Bq/68c2Hgib
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.google.com
A 142.251.222.196
142.250.76.132
IP Address Status Action
164.124.101.2 Active Moloch
199.195.254.188 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 199.195.254.188:808 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49162
199.195.254.188:785 		None None None

packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
file C:\ProgramData\Microsoft\csrss.exe
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 16
family: 0
1 0 0
section {u'size_of_data': u'0x001cd000', u'virtual_address': u'0x0039d000', u'entropy': 7.917154806448342, u'name': u'UPX1', u'virtual_size': u'0x001cd000'} entropy 7.91715480645 description A section with a high entropy has been found
entropy 0.99945799458 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
host 199.195.254.188
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Administrator reg_value C:\ProgramData\Microsoft\csrss.exe
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x00a2f6c9
function_name: wine_get_version
module: ntdll
module_address: 0x778a0000
3221225785 0
Bkav W32.AIDetectMalware
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.tc
ALYac Gen:Variant.Fragtor.149252
VIPRE Gen:Variant.Fragtor.149252
Sangfor Trojan.Win32.Save.a
BitDefender Gen:Variant.Fragtor.149252
Arcabit Trojan.Fragtor.D24704
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of WinGo/Agent.HV
APEX Malicious
McAfee GenericRXAA-AA!8A2A16720871
Avast Win32:Evo-gen [Trj]
ClamAV Win.Malware.Lazy-9969515-0
Kaspersky UDS:DangerousObject.Multi.Generic
MicroWorld-eScan Gen:Variant.Fragtor.149252
Rising Backdoor.Kaiji/Linux!1.E52B (CLOUD)
Emsisoft Gen:Variant.Fragtor.149252 (B)
F-Secure Heuristic.HEUR/AGEN.1366851
DrWeb BackDoor.Siggen2.4187
Trapmine suspicious.low.ml.score
FireEye Gen:Variant.Fragtor.149252
Ikarus Trojan.WinGo.Agent
Google Detected
Avira HEUR/AGEN.1366851
Antiy-AVL Trojan/Win32.SGeneric
Kingsoft Win32.Troj.Undef.a
Microsoft Trojan:Win32/Wacatac.A!ml
ZoneAlarm VHO:Trojan-Ransom.Win32.Convagent.gen
GData Gen:Variant.Fragtor.149252
AhnLab-V3 Trojan/Win.Generic.R531897
BitDefenderTheta Gen:NN.ZexaF.36804.ZnGfae4hZUbi
DeepInstinct MALICIOUS
VBA32 TrojanRansom.Chaos
Malwarebytes Trojan.Injector.UPX
Tencent Trojan-Ransom.Win32.Foreign.ka
MAX malware (ai score=86)
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:Evo-gen [Trj]
alibabacloud Trojan:Multi/Fragtor.Gen
dead_host 192.168.56.103:49266
dead_host 192.168.56.1:22
dead_host 192.168.56.101:22
dead_host 192.168.56.103:49169