Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 9:14 a.m.	Aug. 12, 2024, 9:57 a.m.

Size	346.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`209ae4a712ada48aa2d5fba027ed58b6`
SHA256	`811326123c9b90d8932c4679c574afd2097496d883edc7ce6b0800afe90abe72`
CRC32	`39DBC68A`
ssdeep	`6144:yTouKrWBEu3/Z2lpGDHU3ykJ3RkJ/T4SUoMyE:yToPWBv/cpGrU3yimxTnCyE`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Meetings.exe "C:\Users\test22\AppData\Local\Temp\Meetings.exe"
1872
- 1sesc.exe "C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe"
  2052

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.117.208.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe
cmdline	"C:\Users\test22\AppData\Local\Temp\RarSFX0\1sesc.exe"

Communicates with host for which no DNS query was performed (1 event)

host

193.117.208.148

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.117.208.148:7800

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Swrort.A
Skyhigh	BehavesLike.Win32.Swrort.fh
ALYac	Trojan.GenericKD.68259489
Cylance	Unsafe
VIPRE	Trojan.GenericKD.68259489
Sangfor	Trojan.Win32.Meterpreter.Vr2v
K7AntiVirus	Trojan ( 001172b51 )
BitDefender	Trojan.GenericKD.68259489
K7GW	Trojan ( 001172b51 )
Cybereason	malicious.712ada
Arcabit	Trojan.Generic.D4118EA1
VirIT	Trojan.Win32.Rozena.AA
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Rozena.AA
APEX	Malicious
McAfee	Artemis!209AE4A712AD
Avast	Win32:Meterpreter-C [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/CobaltStrike.5c89
NANO-Antivirus	Trojan.Win32.Metla.jtrsio
MicroWorld-eScan	Trojan.GenericKD.68259489
Rising	HackTool.Swrort!1.6477 (CLASSIC)
Emsisoft	Trojan.GenericKD.68259489 (B)
F-Secure	Trojan.TR/Patched.Gen2
TrendMicro	Backdoor.Win32.COBEACON.SMJMAC
McAfeeD	ti!811326123C9B
FireEye	Generic.mg.209ae4a712ada48a
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious SFX
Google	Detected
Avira	TR/Patched.Gen2
MAX	malware (ai score=86)
Antiy-AVL	GrayWare/Win32.Tampering.a
Gridinsoft	Trojan.Win32.Swrort.zv!s2
Xcitium	TrojWare.Win32.Rozena.A@4jwdqr
Microsoft	Trojan:Win32/Meterpreter.O
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Win32.Trojan.PSE.12141ZK
Varist	W32/Swrort.A.gen!Eldorado
BitDefenderTheta	Gen:NN.ZexaF.36810.eq1@aaZWcIai
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.VBS.Agent
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.Win32.Swrort
Panda	Trj/CI.A
TrendMicro-HouseCall	Backdoor.Win32.SWRORT.SMAL01

Meetings.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All