Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 2, 2024, 5:18 p.m.	Aug. 2, 2024, 5:23 p.m.

Size	202.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`72bcb9136fde10fdddfaa593f2cdfe42`
SHA256	`bb38168a3222858c6b499dfceec3e3dc9055777b91869dbece107c241d97c436`
CRC32	`8FECFA1D`
ssdeep	`6144:jcpL70IqhJWQf2v8m1I5UIi0NJ8IyLHiS:j0cICJWQfXmS5UIv8IsC`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

build_2024-07-24_23-16.exe "C:\Users\test22\AppData\Local\Temp\build_2024-07-24_23-16.exe"
1540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.yaren
section	.lumac

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

DUKUPIREYAFEHO

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 2, 2024, 5:18 p.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 106496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 2, 2024, 5:18 p.m.	process_identifier: 1540 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (10 events)

name

DUKUPIREYAFEHO

language

LANG_TURKISH

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_DEFAULT

offset

0x0003c450

size

0x00000bf7

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_ICON

language

LANG_TURKISH

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_DEFAULT

offset

0x00045a78

size

0x00000468

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x00046250

size

0x00000076

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00023a00', u'virtual_address': u'0x00001000', u'entropy': 7.733293846013758, u'name': u'.text', u'virtual_size': u'0x000239a3'}

entropy

7.73329384601

description

A section with a high entropy has been found

entropy

0.708955223881

description

Overall entropy of this PE file is high

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 2, 2024, 5:18 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Crypt.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Ransom.Stop.P5
Skyhigh	BehavesLike.Win32.MultiPlug.dc
McAfee	Artemis!72BCB9136FDE
Cylance	Unsafe
VIPRE	Gen:Variant.Midie.151432
Sangfor	Trojan.Win32.Kryptik.V7o3
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Gen:Variant.Midie.151432
K7GW	Riskware ( 00584baa1 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HXPA
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Smokeloader-10033583-0
Kaspersky	HEUR:Trojan.Win32.Crypt.gen
Alibaba	Backdoor:Win32/Mokes.76df65bc
MicroWorld-eScan	Gen:Variant.Midie.151432
Rising	Trojan.SmokeLoader!1.1001E (CLASSIC)
Emsisoft	Gen:Variant.Midie.151432 (B)
F-Secure	Trojan.TR/Crypt.Agent.gcwhe
DrWeb	Trojan.PWS.Steam.37475
TrendMicro	TrojanSpy.Win32.VIDAR.YXEHBZ
McAfeeD	Real Protect-LS!72BCB9136FDE
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.72bcb9136fde10fd
Sophos	Troj/Krypt-AEE
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.Agent.gcwhe
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Backdoor]/Win32.Mokes
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.STOP.sa
Microsoft	Backdoor:Win32/Mokes.GNK!MTB
ViRobot	Trojan.Win.Z.Mokes.206848
ZoneAlarm	HEUR:Trojan.Win32.Crypt.gen
GData	Win32.Packed.Kryptik.IH4DBM
Varist	W32/ABTrojan.IERX-0468
AhnLab-V3	Trojan/Win.Generic.R658943
BitDefenderTheta	Gen:NN.ZexaF.36810.my0@aKlV0boG
DeepInstinct	MALICIOUS
VBA32	BScope.Exploit.UAC
Ikarus	Trojan.Win32.Crypt
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEHBZ
Tencent	Win32.Trojan.Crypt.Osmw

build_2024-07-24_23-16.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All