Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 16, 2024, 8:42 a.m.	May 16, 2024, 8:44 a.m.

Size	4.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`133fda00a490e613f3a6c511c1c660eb`
SHA256	`cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169`
CRC32	`CEA296AC`
ssdeep	`24576:ypPiRcjGOOiX3Sl9L7MupXdagdle6whTeo5A4T9W+xjaCsyfwUmvHX+ODvz8JQDm:`
Yara	hide_executable_file - Hide executable file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Kaxhwswfup.exe "C:\Users\test22\AppData\Local\Temp\Kaxhwswfup.exe"
1676

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA May 16, 2024, 8:42 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 16, 2024, 8:42 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 16, 2024, 8:42 a.m.			0	0
IsDebuggerPresent May 16, 2024, 8:42 a.m.			0	0
IsDebuggerPresent May 16, 2024, 8:42 a.m.			0	0
IsDebuggerPresent May 16, 2024, 8:42 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2024, 8:42 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00325000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00327000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2024, 8:42 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Dropper.rz
McAfee	PWS-FDOO!133FDA00A490
Sangfor	Trojan.Msil.Agent.Vmx6
BitDefender	Trojan.GenericKD.72763333
Arcabit	Trojan.Generic.D45647C5
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.QSC
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
ClamAV	Win.Packed.Gamarue-10029963-0
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/Crysan.da49ed5e
MicroWorld-eScan	Trojan.GenericKD.72763333
Rising	Backdoor.Crysan!8.10ECA (CLOUD)
Emsisoft	Trojan.GenericKD.72763333 (B)
F-Secure	Trojan.TR/AD.Nekark.nbspv
DrWeb	Trojan.PackedNET.2841
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.133fda00a490e613
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Google	Detected
Avira	TR/AD.Nekark.nbspv
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Backdoor]/MSIL.Crysan
Kingsoft	MSIL.Trojan.Scar.gen
Gridinsoft	Trojan.Win32.Packed.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	Win32.Trojan.Agent.MD1XG7
Varist	W32/MSIL_Troj.DEX.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5491362
BitDefenderTheta	Gen:NN.ZemsilF.36804.@p0@a8GX0sm
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1678218233
TrendMicro-HouseCall	TROJ_GEN.R002H06EF24
Fortinet	MSIL/Kryptik.AKVA!tr
AVG	Win32:RATX-gen [Trj]
Paloalto	generic.ml

Kaxhwswfup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All