Summary | ZeroBOX

Mke%20Fallen.exe

Malicious Library UPX Anti_VM AntiDebug PE File OS Processor Check PE32 AntiVM
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 14, 2024, 10:50 a.m. Aug. 14, 2024, 10:52 a.m.
Size 192.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 eaeb33cc12fd71532fb6156938f46854
SHA256 055f7b2e38401cb201d4b594e7fe205484681495fb2393185910eb80dfaaec20
CRC32 9EEBF2E7
ssdeep 3072:2POKWROAEATTiczEJToGGhKW9o+SALvH/n2w52YGLHY:2POKWRPTDEJMhKJaf2uyLHY
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

packer Armadillo v1.71
Time & API Arguments Status Return Repeated

CreateServiceA

service_start_name:
start_type: 2
password:
display_name: Microsoft Software t4d7
filepath: C:\Windows\System32\Mke%20Fallen.exe
service_name: t4d7
filepath_r: C:\Windows\system32\Mke%20Fallen.exe
desired_access: 983551
service_handle: 0x00eb7050
error_control: 0
service_type: 16
service_manager_handle: 0x00eb70f0
1 15429712 0
cmdline C:\Windows\system32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\MKE%20~1.EXE > nul
file C:\Users\test22\AppData\Local\Temp\Mke%20Fallen.exe
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline C:\Windows\system32\cmd.exe /c del C:\Users\test22\AppData\Local\Temp\MKE%20~1.EXE > nul
service_name t4d7 service_path C:\Windows\System32\Mke%20Fallen.exe
Process injection Process 2540 resumed a thread in remote process 2616
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000124
suspend_count: 1
process_identifier: 2616
1 0 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.ServStart.A
Skyhigh GenericRXAE-XG!EAEB33CC12FD
Cylance Unsafe
VIPRE Gen:Heur.Mint.Zard.30
K7AntiVirus Trojan ( 00592b3f1 )
BitDefender Gen:Heur.Mint.Zard.30
K7GW Trojan ( 00592b3f1 )
Cybereason malicious.c12fd7
Arcabit Trojan.Mint.Zard.30
Baidu Win32.Trojan.ServStart.aj
VirIT Trojan.Win32.Generic.WYR
Symantec SMG.Heur!gen
ESET-NOD32 Win32/ServStart.IO
APEX Malicious
McAfee GenericRXAE-XG!EAEB33CC12FD
Avast Win32:MrBlack-D [Trj]
ClamAV Win.Trojan.Zard-9880336-0
Kaspersky Trojan.Win32.StartServ.xer
NANO-Antivirus Trojan.Win32.Heuristic131.dcnfpc
SUPERAntiSpyware Trojan.Agent/Gen-Jaik
MicroWorld-eScan Gen:Heur.Mint.Zard.30
Rising Backdoor.Farfli!1.BEF4 (CLASSIC)
Emsisoft Gen:Heur.Mint.Zard.30 (B)
F-Secure Backdoor.BDS/Backdoor.Gen2
DrWeb Trojan.MulDrop11.50250
Zillya Backdoor.PePatch.Win32.44306
TrendMicro TROJ_SERVSTART_GJ1000AC.UVPN
McAfeeD Real Protect-LS!EAEB33CC12FD
Trapmine malicious.high.ml.score
FireEye Generic.mg.eaeb33cc12fd7153
Sophos ML/PE-A
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan/Generic.bamdh
Webroot Trojan.Gen
Google Detected
Avira BDS/Backdoor.Gen2
MAX malware (ai score=84)
Antiy-AVL Trojan/Win32.AGeneric
Kingsoft malware.kb.a.1000
Xcitium TrojWare.Win32.ServStart.CA@6q1016
Microsoft Trojan:Win32/ServStart!pz
ZoneAlarm Trojan.Win32.StartServ.xer
GData Gen:Heur.Mint.Zard.30
Varist W32/Trojan.NEMT-1463
AhnLab-V3 Backdoor/Win32.Zegost.R117606
BitDefenderTheta AI:Packer.4ABEE65B1E
DeepInstinct MALICIOUS