Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 9, 2024, 5:03 p.m.	July 9, 2024, 5:06 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`99c919281e619f24edc578e427433f7b`
SHA256	`95ff9b2516243fd104555cb9b3fa51b27adeba8f27a80c0f69f7918599938e27`
CRC32	`C721A1C6`
ssdeep	`24576:6xWAU3eLSBOyqnimFdZRpXy21aEbCA5ebL1l9ZSJ4B10JV06YRGr:6wuLSBMldAM35eLzvSA06Gr`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

runerdata.exe "C:\Users\test22\AppData\Local\Temp\runerdata.exe"
1960

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 9, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 9, 2024, 5:03 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 9, 2024, 5:03 p.m.			0	0
IsDebuggerPresent July 9, 2024, 5:03 p.m.			0	0
IsDebuggerPresent July 9, 2024, 5:03 p.m.			0	0
IsDebuggerPresent July 9, 2024, 5:03 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2024, 5:03 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (16 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00416000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 9, 2024, 5:03 p.m.	process_identifier: 1960 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00189200', u'virtual_address': u'0x00002000', u'entropy': 7.99649898690679, u'name': u'.text', u'virtual_size': u'0x00189060'}

entropy

7.99649898691

description

A section with a high entropy has been found

entropy

0.998729755478

description

Overall entropy of this PE file is high

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware.CS
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.tc
Cylance	Unsafe
Sangfor	Trojan.Msil.Agent.Vdiu
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GYII
APEX	Malicious
McAfee	Artemis!99C919281E61
Avast	RATX-gen [Trj]
Kaspersky	HEUR:Backdoor.MSIL.Remcos.gen
Alibaba	Trojan:MSIL/GenKryptik.48023cda
Rising	Backdoor.Remcos!8.B89E (CLOUD)
TrendMicro	Trojan.Win32.AMADEY.YXEGIZ
McAfeeD	ti!95FF9B251624
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.99c919281e619f24
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Inject
Google	Detected
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.Kryptik.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.Agent.3LLIDJ
Varist	W32/MSIL_Kryptik.KHA.gen!Eldorado
BitDefenderTheta	Gen:NN.ZemsilF.36808.In0@a8yleDn
DeepInstinct	MALICIOUS
Malwarebytes	MachineLearning/Anomalous.97%
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEGIZ
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Agent.QXH!tr.dldr
AVG	RATX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	Trojan:MSIL/GenKryptik.GNEA

runerdata.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All