Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.20 04:01
strings_output.txt
01.18 04:01
svc.exe
01.18 04:01
RemittanceForms.exe
01.18 04:01
Aristois-Free.jar
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe

Latest News
01.20 03:01
How much does your ele...
01.20 03:01
Bone Filament, For Pri...
01.20 03:01
DT 네트웍스, BYD 서초 및 수원 전...
01.20 03:01
Paytm Sales Drop for F...
01.20 02:01
산업제어시스템 WGS-804HPT서 치명...
01.20 02:01
포낙보청기 대구·부산서면·경주센터, 설맞...
01.20 02:01
미, 국가 사이버안보와 개인정보 유출 우...
01.20 02:01
모아소프트, 해군 함정기술연구소와 군수발...
01.20 02:01
2025년도 인터넷거버넌스 민간전문가 I...
01.20 01:01
요아정, 광교 갤러리아 팝업스토어 운영

Summary | ZeroBOX

FreeArc-0.51-win32.exe

UPX Malicious Library BMP Format PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 2, 2024, 10:04 p.m.	July 2, 2024, 10:06 p.m.

Size	6.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`f610dc533e6a1a631d78391705f374e9`
SHA256	`6539dcec7fc5f5a62e0b44dd6f796a7ef7a09c16ec43d100ac2e6ffc74a8faba`
CRC32	`AE0BA0E7`
ssdeep	`98304:1PC/ETlZEqMB5M/AJEZmUWGGE+qoX5EngjKqgyu2+7TkAOphJSlOse9syIZbRlry:8EoqqmoXU8E0inFTkxp6e9orkHRrilg`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

FreeArc-0.51-win32.exe "C:\Users\test22\AppData\Local\Temp\FreeArc-0.51-win32.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 2, 2024, 10:04 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc1000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c61000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c24000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 2, 2024, 10:04 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c62000 process_handle: 0xffffffff	1	0	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Bkav	W32.Common.80C3A334
Symantec	Trojan Horse
Zillya	Exploit.IMG.Win32.698
Jiangmin	Exploit.IMG-WMF.wm
Antiy-AVL	Trojan/Win32.SGeneric
Gridinsoft	Malware.Win32.GenericMC.cc