popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

win.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 26, 2024, 9:28 a.m. Aug. 26, 2024, 9:30 a.m.
Size 1.8MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5 48dfda3eff897f0a62f71bbac51ff237
SHA256 8cd97e352b65f7425930a982b8bc258c16e46096942e4a620e4e2ef472f2a487
CRC32 1B8179C3
ssdeep 49152:BDmghls3y1+XfWL6Vcp5/ZiId/LwJxkh4:Bmghls5Bq/40+
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.google.com
A 142.250.197.4
142.250.207.100
IP Address Status Action
154.201.84.201 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 154.201.84.201:808 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.101:49161
154.201.84.201:8011 		None None None

packer UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
file C:\ProgramData\Microsoft\csrss.exe
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 16
family: 0
1 0 0
section {u'size_of_data': u'0x001cd200', u'virtual_address': u'0x0039d000', u'entropy': 7.916870772381234, u'name': u'UPX1', u'virtual_size': u'0x001ce000'} entropy 7.91687077238 description A section with a high entropy has been found
entropy 0.999458141425 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
host 154.201.84.201
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Administrator reg_value C:\ProgramData\Microsoft\csrss.exe
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x003dfa09
function_name: wine_get_version
module: ntdll
module_address: 0x76f10000
3221225785 0
Bkav W32.AIDetectMalware
Elastic malicious (moderate confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.tc
ALYac Gen:Variant.Fragtor.149252
Cylance Unsafe
VIPRE Gen:Variant.Fragtor.149252
Sangfor Trojan.Win32.Save.a
BitDefender Gen:Variant.Fragtor.149252
Cybereason malicious.eff897
Arcabit Trojan.Fragtor.D24704
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of WinGo/Agent.HV
APEX Malicious
McAfee GenericRXUL-WJ!70CAAF13A416
Avast Win32:Evo-gen [Trj]
ClamAV Win.Malware.Lazy-9969515-0
Kaspersky UDS:Trojan.Win32.Chaos
MicroWorld-eScan Gen:Variant.Fragtor.149252
Rising Backdoor.Kaiji/Linux!1.E52B (CLASSIC)
Emsisoft Gen:Variant.Fragtor.149252 (B)
F-Secure Heuristic.HEUR/AGEN.1366851
DrWeb BackDoor.Siggen2.4187
McAfeeD Real Protect-LS!48DFDA3EFF89
Trapmine suspicious.low.ml.score
FireEye Gen:Variant.Fragtor.149252
Ikarus Trojan.WinGo.Agent
Google Detected
Avira HEUR/AGEN.1366851
MAX malware (ai score=87)
Antiy-AVL Trojan/Win32.SGeneric
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm VHO:Trojan-Ransom.Win32.Convagent.gen
GData Gen:Variant.Fragtor.149252
AhnLab-V3 Trojan/Win.Generic.R657745
BitDefenderTheta Gen:NN.ZexaF.36812.ZnGfa0@5NFpi
DeepInstinct MALICIOUS
VBA32 TrojanRansom.Chaos
Malwarebytes Trojan.Injector.UPX
Tencent Trojan-Ransom.Win32.Foreign.ka
huorong Backdoor/Chaos.a
AVG Win32:Evo-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)
alibabacloud Backdoor:Win/Agent.HV
dead_host 192.168.56.101:49167
dead_host 192.168.56.1:22
dead_host 192.168.56.103:22
dead_host 192.168.56.101:49268