Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 5, 2024, 4:26 p.m.	Aug. 5, 2024, 4:26 p.m.

Size	211.5KB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`edf60741d8f0f84ac05c3c3abe96f531`
SHA256	`c8009295795a41ddf450d7e6fd947d17f0a344aedb28cb1f1d00d5b28d225acd`
CRC32	`02159FF7`
ssdeep	`3072:JLCP23GB0kWd9F4VhNvmvM1wnTqHcXFI:JWSY0o/vmvBn9XF`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description) UPX_Zero - UPX packed file

demo.exe "C:\Users\test22\AppData\Local\Temp\demo.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
152.136.159.25	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 5, 2024, 4:19 p.m.	stacktrace: 0x6f1320 0xcc000c 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ac 3c 61 7c 02 2c 20 41 c1 c9 0d 41 01 c1 e2 ed exception.instruction: lodsb al, byte ptr [rsi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6f1320 registers.r14: 1453503984 registers.r15: 0 registers.rcx: 110 registers.rsi: 110 registers.r10: 0 registers.rbx: 7279814 registers.rsp: 11664416 registers.r11: 514 registers.r8: 8791748268556 registers.r9: 0 registers.rdx: 1994794592 registers.r12: 0 registers.rbp: 7279354 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 5, 2024, 4:19 p.m.	process_identifier: 2544 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000620000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Aug. 5, 2024, 4:19 p.m.	process_identifier: 2544 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

152.136.159.25

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.CobaltStrike.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Infected.dt
ALYac	Gen:Variant.Zusy.554542
VIPRE	Gen:Variant.Zusy.554542
Sangfor	Trojan.Win64.Kryptik.V3o0
K7AntiVirus	Trojan ( 00594da41 )
BitDefender	Gen:Variant.Zusy.554542
K7GW	Trojan ( 00594da41 )
Cybereason	malicious.1d8f0f
Arcabit	Trojan.Zusy.D8762E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/GenKryptik.FWMV
APEX	Malicious
McAfee	Artemis!EDF60741D8F0
Avast	Win64:Evo-gen [Trj]
ClamAV	Win.Malware.Zusy-10033301-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win64/GenKryptik.36faa6eb
MicroWorld-eScan	Gen:Variant.Zusy.554542
Rising	Trojan.Kryplod!8.100A5 (TFE:5:AImjlJANoeK)
Emsisoft	Gen:Variant.Zusy.554542 (B)
F-Secure	Trojan.TR/AD.PatchedWinSwrort.ckfiy
DrWeb	BackDoor.Meterpreter.157
Zillya	Trojan.GenKryptik.Win64.27153
McAfeeD	ti!C8009295795A
FireEye	Gen:Variant.Zusy.554542
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.TR.AD.PatchedWinSwro
Google	Detected
Avira	TR/AD.PatchedWinSwrort.ckfiy
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Win64.GenKryptik
Gridinsoft	Trojan.Win64.Kryptik.sa
Microsoft	Trojan:Win64/CobaltStrike.AMBA!MTB
ViRobot	Trojan.Win.Z.Zusy.216576.C
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Zusy.554542
AhnLab-V3	Trojan/Win.CobaltStrike.C5628252
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3638408099
Panda	Trj/GdSda.A
Tencent	Trojan.Win64.Kryptik.hm
Fortinet	W64/Kryptik.DWZ!tr
AVG	Win64:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/CobaltStrike.AZHO3DGW

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.101:49162
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49164
dead_host	152.136.159.25:4455
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49163

demo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All