Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 12, 2024, 7:08 p.m.	May 12, 2024, 7:14 p.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4de76ad34e9ccffc91bbec7a3c4e79e0`
SHA256	`e84cad4f234445a47bf803591ac168031558e9215ba714c2197fe75b5188aa1c`
CRC32	`A13C6834`
ssdeep	`49152:Fw+k41fhgCT4O3Qdx09EwApWjGUAN1ZtgX+cvfrmhC0w9O2XM+OBFpGMEMBF:FE2ScXywApWyZZWXLvjmo9iB`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

file.exe "C:\Users\test22\AppData\Local\Temp\file.exe"
2052

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 12, 2024, 7:09 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 12, 2024, 7:09 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2024, 7:08 p.m.			0	0
IsDebuggerPresent May 12, 2024, 7:08 p.m.			0	0
IsDebuggerPresent May 12, 2024, 7:09 p.m.			0	0
IsDebuggerPresent May 12, 2024, 7:09 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2024, 7:08 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:08 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2024, 7:09 p.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0045f200', u'virtual_address': u'0x00002000', u'entropy': 7.175534447108094, u'name': u'.text', u'virtual_size': u'0x0045f064'}

entropy

7.17553444711

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00014400', u'virtual_address': u'0x00462000', u'entropy': 7.463973814620061, u'name': u'.rsrc', u'virtual_size': u'0x000142bc'}

entropy

7.46397381462

description

A section with a high entropy has been found

entropy

0.999890302764

description

Overall entropy of this PE file is high

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.72698293
VIPRE	Trojan.GenericKD.72698293
BitDefender	Trojan.GenericKD.72698293
Arcabit	Trojan.Generic.D45549B5
Symantec	Trojan.Gen.MBT
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Kryptik.ALOD
APEX	Malicious
McAfee	Artemis!4DE76AD34E9C
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
MicroWorld-eScan	Trojan.GenericKD.72698293
Rising	Trojan.Kryptik!8.8 (CLOUD)
Emsisoft	Trojan.GenericKD.72698293 (B)
F-Secure	Trojan.TR/Kryptik.efovj
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEEIZ
FireEye	Trojan.GenericKD.72698293
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
Google	Detected
Avira	TR/Kryptik.efovj
MAX	malware (ai score=81)
Antiy-AVL	Trojan/MSIL.Kryptik
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.ZgRAT.tr
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	MSIL.Trojan-Stealer.MetaStealer.SOZ6CD
Varist	W32/MSIL_Troj.DEJ.gen!Eldorado
AhnLab-V3	Trojan/Win.Kryptik.C5620270
BitDefenderTheta	Gen:NN.ZemsilCO.36804.@p0@aK4ps2c
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.MSIL.Generic
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEEIZ
Tencent	Msil.Trojan-Spy.Stealer.Usmw
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AJDX!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:MSIL/Kryptik.AEX!

file.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All