Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 21, 2024, 9:31 a.m.	July 21, 2024, 9:35 a.m.

Size	45.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`092c3991693cf8e0023895e4c1681fae`
SHA256	`86e691956c37b1594ef05158264e82e28655233a446fb06d4e269769ed582f06`
CRC32	`1B59EB03`
ssdeep	`768:IjfpXZt7MgODsO2Qbv4AjZfGiZbtw0yrYQ2CFAuJWyWm5nbcuyD7USq3:IjfpwgnO2aVj15ZG0ycQ20fnouy8Sq3`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe "C:\Users\test22\AppData\Local\Temp\billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe"
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
167.250.49.155	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 21, 2024, 9:31 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000a800', u'virtual_address': u'0x0000e000', u'entropy': 7.973496095884803, u'name': u'UPX1', u'virtual_size': u'0x0000b000'}

entropy

7.97349609588

description

A section with a high entropy has been found

entropy

0.943820224719

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

167.250.49.155

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

167.250.49.155:445

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Lionic	Trojan.Win32.Jorik.lrUS
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Swrort.A
McAfee	GenericRXAA-AA!092C3991693C
ALYac	Generic.ShellCode.Marte.H.4B7582C4
Cylance	unsafe
VIPRE	Generic.ShellCode.Marte.H.4B7582C4
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Generic.ShellCode.Marte.H.4B7582C4
K7GW	Trojan ( 001172b51 )
K7AntiVirus	Trojan ( 001172b51 )
Arcabit	Generic.ShellCode.Marte.H.4B7582C4
Cyren	W32/Swrort.D.gen!Eldorado
Symantec	Meterpreter
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Rozena.BJG
APEX	Malicious
Avast	Win32:Meterpreter-C [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:Win32/Meterpreter.e73743cc
NANO-Antivirus	Trojan.Win32.Shellcode.ewfvwj
MicroWorld-eScan	Generic.ShellCode.Marte.H.4B7582C4
Rising	Trojan.Crypto!8.364 (TFE:5:qRUE1u5wYD)
Emsisoft	Generic.ShellCode.Marte.H.4B7582C4 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
DrWeb	Trojan.Swrort.1
Zillya	Trojan.Generic.Win32.1122612
McAfee-GW-Edition	Swrort.d
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.092c3991693cf8e0
Sophos	ATK/SwrortPk-A
Ikarus	Trojan.Win32.Swrort
Jiangmin	Trojan.Generic.hnqyj
Webroot	W32.Trojan.Swrort
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=81)
Xcitium	TrojWare.Win32.Rozena.A@4jwdqr
Microsoft	Trojan:Win32/Meterpreter.O
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Trojan.PSE.10KKVZ1
Google	Detected
AhnLab-V3	Backdoor/Win32.Bifrose.R12476
BitDefenderTheta	Gen:NN.ZexaF.36164.cmKfa4rf30ji
DeepInstinct	MALICIOUS
VBA32	Trojan.Swrort
Malwarebytes	Malware.Heuristic.1003
Panda	Trj/GdSda.A
Tencent	Win32.Trojan.Generic.Kajl
Yandex	Trojan.GenAsa!O0/tdGI4TGA

billi_e58d74e455634dc695ed8a7b8b320325.exe.upx.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All