Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 10:41 a.m.

Size	139.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5	`f9eb9ee28788c0079bbc91086cef30f2`
SHA256	`32b01fc0292be3d9e8a37934e793ba8868244485e7abe1bf843690dc8097a060`
CRC32	`DECF3875`
ssdeep	`3072:DG9TQjMizEMK/rnhVj/CTVXOTm/kMq5PsDLGScJ5kloutd:DGejMizEVTnh9/cXstMq5E/AJiloSd`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

XFTZHD.exe "C:\Users\test22\AppData\Local\Temp\XFTZHD.exe"
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
42.193.241.116	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713	0
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10024000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00065058

size

0x00000248

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00022000', u'virtual_address': u'0x00042000', u'entropy': 7.995600098100388, u'name': u'UPX1', u'virtual_size': u'0x00022000'}

entropy

7.9956000981

description

A section with a high entropy has been found

entropy

0.985507246377

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

42.193.241.116

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Downloader.AdLoad.12395
Skyhigh	BehavesLike.Win32.Generic.cc
ALYac	Gen:Variant.Jaik.235925
Cylance	Unsafe
VIPRE	Gen:Variant.Jaik.235925
Sangfor	Trojan.Win32.Blackmoon.V3z9
BitDefender	Gen:Variant.Jaik.235925
Cybereason	malicious.28788c
Arcabit	Trojan.Babar.D4BE0
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
McAfee	Artemis!F9EB9EE28788
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
MicroWorld-eScan	Gen:Variant.Jaik.235925
Emsisoft	Gen:Variant.Jaik.235925 (B)
TrendMicro	TrojanSpy.Win32.BLACKMOON.YXEHDZ
McAfeeD	ti!32B01FC0292B
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f9eb9ee28788c007
Sophos	Mal/Generic-S
Ikarus	PUA.Generic
Gridinsoft	Trojan.Win32.Packed.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Jaik.235925
BitDefenderTheta	Gen:NN.ZexaF.36810.iqKfaGhRP0mb
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.DiskWriter
Malwarebytes	Generic.Malware/Suspicious
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEHDZ
MAX	malware (ai score=84)
MaxSecure	Dropper.Dinwod.frindll
Fortinet	PossibleThreat.MU
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (W)
alibabacloud	VirTool:Win/Packed.BlackMoon.A

XFTZHD.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All