Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 25, 2024, 6:42 p.m.	Aug. 25, 2024, 7:01 p.m.

Size	314.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`724a304d92c8e4920afbc604d34ad74a`
SHA256	`5c3058217a873a3393cf4b033ade3717e25c1d1cee2cc44c79e92fa8b9a73c38`
CRC32	`66F46797`
ssdeep	`6144:CTnxNdwRsC6ICw1CSgeaL07RtmRjqajRGVD8xcDWraF0yFbrbVuF:CtNdwRsCQiIec0t8jqajRJFmF0yFRuF`
PDB Path	c:\lbuiwg3b\obj\Release\doX.pdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

66c9dcdb986c5_crypted.exe#1 "C:\Users\test22\AppData\Local\Temp\66c9dcdb986c5_crypted.exe#1"
1540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 25, 2024, 6:42 p.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 25, 2024, 6:42 p.m.	buffer: System.MissingMethodException: Method not found: '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)'. at AVP.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\lbuiwg3b\obj\Release\doX.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2024, 6:42 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f62000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004de00', u'virtual_address': u'0x00002000', u'entropy': 7.994790138127732, u'name': u'.text', u'virtual_size': u'0x0004dd34'}

entropy

7.99479013813

description

A section with a high entropy has been found

entropy

0.992038216561

description

Overall entropy of this PE file is high

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.Generic.fc
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.V4v0
BitDefender	Trojan.PasswordStealer.GenericKD.1203
Arcabit	Trojan.PasswordStealer.Generic.D4B3
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HAXT
APEX	Malicious
McAfee	Artemis!724A304D92C8
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanSpy:MSIL/Stealer.2ab055a8
MicroWorld-eScan	Trojan.PasswordStealer.GenericKD.1203
Emsisoft	Trojan.PasswordStealer.GenericKD.1203 (B)
F-Secure	Trojan.TR/AD.RedLineSteal.nezst
TrendMicro	TrojanSpy.Win32.METASTEALER.YXEHXZ
McAfeeD	ti!5C3058217A87
FireEye	Generic.mg.724a304d92c8e492
Sophos	ML/PE-A
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/AD.RedLineSteal.nezst
MAX	malware (ai score=82)
Antiy-AVL	Trojan[Spy]/MSIL.Stealer
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.RedLine.tr
Microsoft	Trojan:MSIL/Redline.MG!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Trojan.PasswordStealer.GenericKD.1203
Varist	W32/ABTrojan.GGKS-5755
AhnLab-V3	Infostealer/Win.AntiAV.C5661812
BitDefenderTheta	Gen:NN.ZemsilF.36812.tm0@aqZhnLei
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TrojanSpy.Win32.METASTEALER.YXEHXZ
huorong	Trojan/MSIL.Agent.li
Fortinet	PossibleThreat.MU
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)

66c9dcdb986c5_crypted.exe#1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All