Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 17, 2024, 10:13 p.m.	Aug. 17, 2024, 10:25 p.m.

Size	3.3MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`77ecafee1b0ba32bd4e3b90b6d92a81f`
SHA256	`14d8c36fbab22c95764169e90e4985f90a171b201bb206bd6ea8883b492083e3`
CRC32	`198FDD50`
ssdeep	`49152:ZfZDFDHgbjZ766knm3Y3ykj+B8lleKkqI5l+/pDktLE1wGZdcjnGnbPfnzR:npHgbJcmI3t08l3NKM/Sk9rcjnGnb3n`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

rorukal.exe "C:\Users\test22\AppData\Local\Temp\rorukal.exe"
1132

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 17, 2024, 10:13 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 17, 2024, 10:13 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d rorukal+0x12976 @ 0x412976 rorukal+0xb4ff5 @ 0x4b4ff5 rorukal+0xb527d @ 0x4b527d rorukal+0x13c7 @ 0x4013c7 rorukal+0x14cb @ 0x4014cb BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x20474343 exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 0 registers.r15: 0 registers.rcx: 2291424 registers.rsi: 0 registers.r10: 93 registers.rbx: 0 registers.rsp: 2293728 registers.r11: 2293040 registers.r8: 0 registers.r9: 0 registers.rdx: 192 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 2002575849 registers.r13: 0	1	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 events)

Time & API	Arguments	Status	Return
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 1684	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: wsqmcons.exe process_identifier: 2040	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: sdclt.exe process_identifier: 1984	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: taskhost.exe process_identifier: 1680	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: SearchProtocolHost.exe process_identifier: 632	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: cmd.exe process_identifier: 1488	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: conhost.exe process_identifier: 1508	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: SearchFilterHost.exe process_identifier: 300	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: rorukal.exe process_identifier: 1132	1	1
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00330c00', u'virtual_address': u'0x0040f000', u'entropy': 7.9428542902932, u'name': u'', u'virtual_size': u'0x00331000'}

entropy

7.94285429029

description

A section with a high entropy has been found

entropy

0.969723953695

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (16 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0
Process32NextW Aug. 17, 2024, 10:13 p.m.	snapshot_handle: 0x000000000000009c process_name: pw.exe process_identifier: 2068		0	0

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.Common.33A568E6
Lionic	Trojan.Win32.Strab.4!c
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win64.Dropper.wc
ALYac	Trojan.GenericKD.73829643
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73829643
Sangfor	Dropper.Win32.Agent.V5z8
K7AntiVirus	Trojan ( 005b93631 )
BitDefender	Trojan.GenericKD.73829643
K7GW	Trojan ( 005b93631 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/TrojanDropper.Agent.KL
APEX	Malicious
McAfee	Artemis!77ECAFEE1B0B
Avast	Win64:DropperX-gen [Drp]
Kaspersky	Trojan.Win32.Strab.ntv
MicroWorld-eScan	Trojan.GenericKD.73829643
Rising	Backdoor.Androm!8.113 (CLOUD)
Emsisoft	Trojan.GenericKD.73829643 (B)
F-Secure	Trojan.TR/Drop.Agent.rrulj
DrWeb	Trojan.Inject5.7186
McAfeeD	ti!14D8C36FBAB2
Trapmine	malicious.moderate.ml.score
FireEye	Trojan.GenericKD.73829643
Sophos	Mal/Generic-S
Webroot	W32.Trojan.GenKD
Google	Detected
Avira	TR/Drop.Agent.rrulj
MAX	malware (ai score=81)
Antiy-AVL	Trojan[Backdoor]/Win32.Androm
Kingsoft	Win32.Trojan.Strab.ntv
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	Trojan.Win32.Strab.ntv
GData	Trojan.GenericKD.73829643
AhnLab-V3	Malware/Win.Generic.C5651394
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2974589336
Ikarus	Trojan-Dropper.Win64.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R023H0CHF24
Tencent	Malware.Win32.Gencirc.14160536
MaxSecure	Trojan.Malware.274467459.susgen
Fortinet	W64/Agent.KL!tr
AVG	Win64:DropperX-gen [Drp]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	Trojan[dropper]:Win/Strab.nnt

rorukal.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All