Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 25, 2024, 6:42 p.m.	Aug. 25, 2024, 7:01 p.m.

Size	192.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ad8a02a68b36bd0c78428d3552feacce`
SHA256	`3891b4ca289d3c1ed1e73d2af779191c414552b79302a3546b45a43e2afe0423`
CRC32	`04CBD1B8`
ssdeep	`3072:t7GCBMxBmNVP66jWNLndbhXj8nDdl8i2VfF0fBRb2PJu9fhxsPJt17So4kKYzEO:tyCBMxBmNVPdjAnqdln2VNJP0h+f8yEO`
PDB Path	c:\8ao24qg1glny8\obj\Release\doX.pdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

66ca11c91d783_vaelw.exe#space "C:\Users\test22\AppData\Local\Temp\66ca11c91d783_vaelw.exe#space"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 25, 2024, 6:42 p.m.	buffer: System.MissingMethodException: ???? ?? ? ????. '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)' ??: AVP.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\8ao24qg1glny8\obj\Release\doX.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2024, 6:42 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002ce00', u'virtual_address': u'0x00002000', u'entropy': 7.9872288727893945, u'name': u'.text', u'virtual_size': u'0x0002cd34'}

entropy

7.98722887279

description

A section with a high entropy has been found

entropy

0.986263736264

description

Overall entropy of this PE file is high

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Trojan.Msil.Kryptik.Vi9j
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HAXT
McAfee	Artemis!AD8A02A68B36
Avast	PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Rising	Malware.Obfus/MSIL@AI.81 (RDM.MSIL2:Ea3nhGtjHIHjp+u1F7pCQQ)
TrendMicro	TrojanSpy.Win32.VIDAR.YXEHYZ
McAfeeD	ti!3891B4CA289D
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.psrub
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Spy.Win32.Gen.tr
Microsoft	Trojan:Win32/Sabsik.FL.A!ml
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan.Kryptik.5H4YRR
Varist	W32/ABTrojan.RTSR-4437
AhnLab-V3	Infostealer/Win.ApplicationInfo.C5661876
BitDefenderTheta	Gen:NN.ZemsilF.36812.mm2@ayz7i0ii
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.RedLineStealer.MSIL
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.VIDAR.YXEHYZ
huorong	Trojan/MSIL.Agent.li
AVG	PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (D)

66ca11c91d783_vaelw.exe#space

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All