popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

123.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 4, 2024, 1:19 p.m. Aug. 4, 2024, 2 p.m.
Size 4.9MB
Type PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5 ff886c6dfffaf1abafb52e93b7a69249
SHA256 73d5c27cb72107318d5c6990c51ce019db0a0cfc2ff8aa3a2463628219043cdb
CRC32 60B33BDD
ssdeep 98304:KS6gS14h+KEl19bPT064hi/l/kVDzkWofm6F29UYolRhWYMQ:KS6gS1kv+19br1mi/lu4fm60aYQR0YMQ
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
121.36.248.151 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 2024/08/04 13:19:53 Forking
console_handle: 0x0000000b
1 1 0
packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
section {u'size_of_data': u'0x004f0800', u'virtual_address': u'0x00a19000', u'entropy': 7.8950004582042945, u'name': u'UPX1', u'virtual_size': u'0x004f1000'} entropy 7.8950004582 description A section with a high entropy has been found
entropy 0.999901156469 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
cmdline whoami
host 121.36.248.151
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0033f769
function_name: wine_get_version
module: ntdll
module_address: 0x76f10000
3221225785 0
Time & API Arguments Status Return Repeated

NtGetContextThread

 thread_handle: 0x00000020
1 0 0

NtSetContextThread

 registers.eip: 17600688
registers.esp: 198307352
registers.edi: 0
registers.eax: 0
registers.ebp: 2
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000020
process_identifier: 2556
1 0 0

NtResumeThread

 thread_handle: 0x00000020
suspend_count: 1
process_identifier: 2556
1 0 0

NtGetContextThread

 thread_handle: 0x00000020
1 0 0

NtResumeThread

 thread_handle: 0x00000020
suspend_count: 1
process_identifier: 2556
1 0 0

CreateProcessInternalW

 thread_identifier: 2712
thread_handle: 0x000001d0
process_identifier: 2708
current_directory:
filepath: C:\Windows\System32\whoami.exe
track: 1
command_line: whoami
filepath_r: C:\Windows\system32\whoami.exe
stack_pivoted: 0
creation_flags: 525312 (CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x000001d4
1 1 0
Bkav W32.AIDetectMalware
Elastic malicious (moderate confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.rc
ALYac Gen:Variant.Zusy.555509
Cylance Unsafe
VIPRE Gen:Variant.Zusy.555509
BitDefender Gen:Variant.Zusy.555509
Cybereason malicious.dfffaf
Arcabit Trojan.Zusy.D879F5
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of WinGo/Agent.ACE.gen
APEX Malicious
Avast Win32:Evo-gen [Trj]
Kaspersky HEUR:Backdoor.Win64.Supershell.pef
MicroWorld-eScan Gen:Variant.Zusy.555509
Emsisoft Gen:Variant.Zusy.555509 (B)
McAfeeD ti!73D5C27CB721
FireEye Gen:Variant.Zusy.555509
Sophos CXrep/MalGo-B
Ikarus Trojan.Crypt
Antiy-AVL GrayWare/Win32.Kryptik.ffp
ZoneAlarm HEUR:Backdoor.Win64.Supershell.pef
GData Gen:Variant.Zusy.555509
AhnLab-V3 Malware/Win.Generic.R645153
BitDefenderTheta Gen:NN.ZexaF.36810.@pGfae4GEck
VBA32 Backdoor.Win64.Supershell
Malwarebytes Trojan.Injector.UPX
Tencent Win64.Backdoor.Supershell.Lqil
MAX malware (ai score=83)
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:Evo-gen [Trj]
CrowdStrike win/malicious_confidence_70% (W)