Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 25, 2024, 6:42 p.m.	Aug. 25, 2024, 6:57 p.m.

Size	207.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`ec11395a4f9b30672b9392e14e684c24`
SHA256	`57716a4b2bcadec1a8ed2a88e33f79e49deb095f18f71eafd05ec18b80c60691`
CRC32	`0C458643`
ssdeep	`6144:zeZbxwNM/EdApHB+ACHRmTyMzC/Gm2YsEO:KuMMdGB+5cTyMzmGm9sEO`
PDB Path	c:\braudao\obj\Release\doX.pdb
Yara	PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Is_DotNET_EXE - (no description) IsPE32 - (no description)

66ca560048cbe_sgrk.exe#space "C:\Users\test22\AppData\Local\Temp\66ca560048cbe_sgrk.exe#space"
1680

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 25, 2024, 6:42 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0
IsDebuggerPresent Aug. 25, 2024, 6:42 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 25, 2024, 6:42 p.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA Aug. 25, 2024, 6:42 p.m.	buffer: System.MissingMethodException: Method not found: '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)'. at AVP.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\braudao\obj\Release\doX.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2024, 6:42 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2024, 6:42 p.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00030c00', u'virtual_address': u'0x00002000', u'entropy': 7.989455005162734, u'name': u'.text', u'virtual_size': u'0x00030b34'}

entropy

7.98945500516

description

A section with a high entropy has been found

entropy

0.987341772152

description

Overall entropy of this PE file is high

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Infostealer.Msil.Agent.Vjh9
BitDefender	Trojan.PasswordStealer.GenericKD.1205
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.HATX
McAfee	Artemis!EC11395A4F9B
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	Trojan:MSIL/GenKryptik.6b10eb54
Rising	Stealer.Agent!8.C2 (CLOUD)
F-Secure	Trojan.TR/AD.Stealc.usimn
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEHYZ
McAfeeD	ti!57716A4B2BCA
FireEye	Generic.mg.ec11395a4f9b3067
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/AD.Stealc.usimn
Kingsoft	MSIL.Trojan-Spy.Stealer.gen
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Stealerc.GAB!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan.Kryptik.HLHH0I
Varist	W32/ABRisk.LGRQ-6885
AhnLab-V3	Infostealer/Win.ApplicationInfo.C5661876
BitDefenderTheta	Gen:NN.ZemsilF.36812.mm2@a0JA45hi
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.RedLineStealer.MSIL
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEHYZ
Tencent	Win32.Trojan.FalseSign.Xwhl
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/GenKryptik.HATX!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (D)
alibabacloud	Trojan:MSIL/GenKryptik.HMB#

66ca560048cbe_sgrk.exe#space

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All