Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 18, 2024, 6:18 p.m.	June 18, 2024, 6:20 p.m.

Size	886.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3445e5cbc4f883d4c8db25e193ad30d2`
SHA256	`9a388d2527a40b8c46df38ab7e9d756862c6b502ed45b4008838ad5b192878b5`
CRC32	`E93EA591`
ssdeep	`24576:12rT5JibBsR1YAcUSWcPsPQcVnJtCaR+Eo:spJ22R1rcUWPsPFVrCaR+Eo`
Yara	Malicious_Library_Zero - Malicious_Library ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

127pos.exe "C:\Users\test22\AppData\Local\Temp\127pos.exe"
2552

Name	Response	Post-Analysis Lookup
www.gdbaodao.cn	A 14.19.217.34	14.19.217.34

IP Address	Status	Action
14.19.217.34	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 14.19.217.34:2002	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 14.19.217.34:2002	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 14.19.217.34:2002	2008350	ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2024, 6:18 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 18, 2024, 6:18 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (4 events)

name

RT_RCDATA

language

LANG_CHINESE

filetype

ISO-8859 text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d979c

size

0x0000175f

name

RT_RCDATA

language

LANG_CHINESE

filetype

ISO-8859 text, with very long lines, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d979c

size

0x0000175f

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000dafb0

size

0x000001a0

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000db150

size

0x000001e1

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Lionic	Trojan.Win32.Agent.Y!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Injector.ch
ALYac	Trojan.GenericKD.70790719
Cylance	Unsafe
VIPRE	Trojan.GenericKD.70790719
Sangfor	Trojan.Win32.Agent.Vy75
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.70790719
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.bc4f88
Arcabit	Trojan.Generic.D4382E3F
Symantec	Trojan.Gen.MBT
APEX	Malicious
McAfee	Artemis!3445E5CBC4F8
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Autoit-7533156-0
Kaspersky	Trojan.Win32.Agent.xbibxg
Alibaba	Trojan:Win32/Generic.520cd8a3
MicroWorld-eScan	Trojan.GenericKD.70790719
Emsisoft	Trojan.GenericKD.70790719 (B)
F-Secure	Trojan.TR/Agent.sdpxi
Zillya	Trojan.GenericTKA.Win32.190
McAfeeD	ti!9A388D2527A4
FireEye	Generic.mg.3445e5cbc4f883d4
Sophos	Mal/Generic-S
Ikarus	Trojan.Agent
Jiangmin	Trojan.Pasta.ahk
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Agent.sdpxi
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Pasta
Kingsoft	Win32.Trojan.Agent.xbibxg
Gridinsoft	Trojan.Win32.Agent.vb!s1
Xcitium	Malware@#1292zhclokdxu
Microsoft	Trojan:Win32/Phonzy.A!ml
ZoneAlarm	Trojan.Win32.Agent.xbibxg
GData	Trojan.GenericKD.70790719
Varist	W32/ABRisk.FFEN-7417
DeepInstinct	MALICIOUS
VBA32	Backdoor.Bladabindi
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Chgt.AD
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/PossibleThreat
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

127pos.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All