Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

public.exe

Malicious Packer UPX OS Processor Check PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 6, 2024, 9:20 a.m.	Aug. 6, 2024, 9:27 a.m.

Size	29.5KB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`099b959c7202e63afb435cb3bbbf25c8`
SHA256	`494e94d57ca2260c30b5d52ac414a2c8600eab38d08edb273832cee82685e1d8`
CRC32	`9378464A`
ssdeep	`384:1hILRmKwRxYaK666Q39pNiJBuXMFAqIqIr4ahKaYfziTz+3jpYd/Pt4T:1hILRmKwR2aZW9zilFd+zSOTS3Ko`
PDB Path	E:\source\SSP_Exec\x64\Release\SSP_Exec.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

public.exe "C:\Users\test22\AppData\Local\Temp\public.exe"
1984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

E:\source\SSP_Exec\x64\Release\SSP_Exec.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

_RDATA

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 6, 2024, 9:20 a.m.	stacktrace: public+0x14a9 @ 0x13faf14a9 public+0x176d @ 0x13faf176d public+0x3110 @ 0x13faf3110 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 0f b6 01 48 8b f9 0f b6 51 01 3a c2 75 05 80 fa exception.symbol: public+0x14a9 exception.instruction: movzx eax, byte ptr [rcx] exception.module: public.exe exception.exception_code: 0xc0000005 exception.offset: 5289 exception.address: 0x13faf14a9 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 0 registers.r10: 279949729737217 registers.rbx: 0 registers.rsp: 3145440 registers.r11: 279946199973953 registers.r8: 3930192 registers.r9: 8791596062888 registers.rdx: 3934192 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 8791596283928 registers.r13: 0	1	0	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Elastic	malicious (moderate confidence)
APEX	Malicious
McAfeeD	ti!494E94D57CA2
Microsoft	Trojan:Win32/Casdet!rfn