Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 22, 2024, 3:01 p.m.	Aug. 22, 2024, 3:03 p.m.

Size	202.4KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`e54c022314dfd1cc38e8994f725ba3be`
SHA256	`f41e569fd72766fdd1276d9b52d3e4b1aa7ae8f4731fdc199774a4bff31628e5`
CRC32	`2AD57572`
ssdeep	`3072:iPeKZ7SZ6LdppB4r2Telmn3Uj5R7DhHksjjonVEmSd1XHrPz8+BLGLu8YqvTExX3:SdZ+QQrp4UjxPjjoKm01bPo+Vt1EO`
PDB Path	c:\ysvo5i1li04tm6\obj\Releas\qvpp.pdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

kleiseIche.exe "C:\Users\test22\AppData\Local\Temp\kleiseIche.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 22, 2024, 3:01 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 22, 2024, 3:01 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 22, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:01 p.m.			0	0
IsDebuggerPresent Aug. 22, 2024, 3:01 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

c:\ysvo5i1li04tm6\obj\Releas\qvpp.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 22, 2024, 3:01 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 22, 2024, 3:01 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ce00', u'virtual_address': u'0x00002000', u'entropy': 7.987135465446823, u'name': u'.text', u'virtual_size': u'0x0002cc64'}

entropy

7.98713546545

description

A section with a high entropy has been found

entropy

0.986263736264

description

Overall entropy of this PE file is high

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Reline.i!c
Elastic	malicious (high confidence)
CAT-QuickHeal	Trojanpws.Msil
ALYac	Gen:Variant.Jalapeno.18081
Cylance	Unsafe
VIPRE	Gen:Variant.Jalapeno.18081
Sangfor	Infostealer.Msil.Kryptik.V5rs
BitDefender	Gen:Variant.Jalapeno.18081
Paloalto	generic.ml
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HAVJ
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Stealerc-10034897-0
Kaspersky	HEUR:Trojan-PSW.MSIL.Reline.gen
Alibaba	TrojanPSW:MSIL/Reline.3b809eaf
MicroWorld-eScan	Gen:Variant.Jalapeno.18081
Rising	Stealer.Reline!8.132F4 (CLOUD)
Emsisoft	Gen:Variant.Jalapeno.18081 (B)
F-Secure	Trojan.TR/Kryptik.saybj
TrendMicro	TrojanSpy.Win32.VIDAR.YXEHUZ
McAfeeD	ti!F41E569FD727
FireEye	Generic.mg.e54c022314dfd1cc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/Kryptik.saybj
MAX	malware (ai score=82)
Antiy-AVL	Trojan[PSW]/MSIL.Reline
Kingsoft	MSIL.Trojan-PSW.Reline.gen
Gridinsoft	Spy.Win32.Vidar.tr
Arcabit	Trojan.Jalapeno.D46A1
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Reline.gen
GData	Gen:Variant.Jalapeno.18081
AhnLab-V3	Trojan/Win.PWSX-gen.C5660481
BitDefenderTheta	Gen:NN.ZemsilF.36812.mm2@a4Jhi2ji
Malwarebytes	Spyware.RedLineStealer.MSIL
Ikarus	Win32.Outbreak
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEHUZ
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/GenKryptik.HATV!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/Chgt.AD
CrowdStrike	win/malicious_confidence_100% (D)

kleiseIche.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All