Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:09 p.m.	Aug. 19, 2024, 2:17 p.m.

Size	216.1KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ef05d64893224900ae27b3d2ac8323cc`
SHA256	`a96b3ddd991bc4a88831685ef44cbd4ad7945a4afc3a028f42812f269d513674`
CRC32	`85B7BC9A`
ssdeep	`6144:U9N6HzLQfUqkYF4jMfghcS7g/AcaJh+wA+Q3ETEO:U9NEIMdYGjMgNrBJbA+yETEO`
PDB Path	c:\g5sye\obj\Release\G.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

66bddfc358668_stealc.exe "C:\Users\test22\AppData\Local\Temp\66bddfc358668_stealc.exe"
1984

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 19, 2024, 2:09 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 19, 2024, 2:09 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 19, 2024, 2:09 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:09 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:09 p.m.			0	0
IsDebuggerPresent Aug. 19, 2024, 2:09 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

c:\g5sye\obj\Release\G.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 2:09 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ff0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00805000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00807000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 19, 2024, 2:09 p.m.	process_identifier: 1984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00030a00', u'virtual_address': u'0x00002000', u'entropy': 7.987672282210696, u'name': u'.text', u'virtual_size': u'0x00030804'}

entropy

7.98767228221

description

A section with a high entropy has been found

entropy

0.989821882952

description

Overall entropy of this PE file is high

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vdjo
BitDefender	Gen:Variant.MSILHeracles.175506
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HASV
APEX	Malicious
McAfee	Artemis!EF05D6489322
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Pwsx-10034591-0
Kaspersky	UDS:Trojan-PSW.MSIL.Stealerc.gen
Alibaba	Trojan:MSIL/Generic.04b082a2
MicroWorld-eScan	Gen:Variant.MSILHeracles.175506
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:Z4e4rbWMbC/Yw7ze+i2rRg)
Emsisoft	Gen:Variant.MSILHeracles.175506 (B)
TrendMicro	TrojanSpy.Win32.STEALC.YXEHRZ
McAfeeD	ti!A96B3DDD991B
FireEye	Generic.mg.ef05d64893224900
Sophos	Mal/MSIL-KC
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/AD.Stealc.qhfne
MAX	malware (ai score=83)
Kingsoft	MSIL.Trojan-PSW.Stealerc.gen
Gridinsoft	Spy.Win32.Gen.tr
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	UDS:Trojan-PSW.MSIL.Stealerc.gen
GData	Win32.Trojan.Kryptik.QU0R63
BitDefenderTheta	Gen:NN.ZemsilF.36812.nm2@aWE7D5k
DeepInstinct	MALICIOUS
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXEHRZ
huorong	Trojan/MSIL.Agent.li
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (D)

66bddfc358668_stealc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All