Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 10:09
Document.exe
09.20 10:09
payload.ps1
09.20 10:09
Documents..pdf...........
09.20 10:09
payload.txt.ps1
09.20 10:09
detalis.aspx
09.20 10:09
jrj6.exe
09.20 10:09
1.exe
09.20 10:09
vdfsh12.exe
09.20 10:09
vsg15.exe
09.19 02:09
66ea645129e6a_jacobs.exe

Latest News
09.20 10:09
Apple iPhone 16 Reache...
09.20 10:09
에그, '에그제트(eggz) 문빔건메탈'...
09.20 10:09
Meituan’s 63% Stock Su...
09.20 09:09
케이케이소프트, '스타트업 창업 성공 노...
09.20 09:09
한성정보기술, 지능형 CCTV 배회·침입...
09.20 09:09
'Marko Polo' hackers f...
09.20 09:09
Only 1/3 of businesses...
09.20 09:09
한국능률교육평가원, 무료 수강 진행......
09.20 09:09
일본구매대행 사이트 재팬스타일, 스트릿 ...
09.20 09:09
윤솔에프앤씨, 여성UP엑스포서 혁신적인 ...

Summary | ZeroBOX

66d0502b12496_MKna.exe#main

UPX Malicious Library PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 30, 2024, 6:06 p.m.	Aug. 30, 2024, 6:09 p.m.

Size	3.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f8afafba3e86d50ad9edce1d0ea179ab`
SHA256	`2c52f6d1206bc754c5e3ad485b7406d7d611d7d490a2252a969f2cd874ea9569`
CRC32	`BBDDB4A3`
ssdeep	`49152:Aa5dRh/rrdcQX7kAmen7jJRkNkdKiJZeKtH0LzHPzkRyq/cHG53IpOMb6tdz6c:Aa5rJ/+ewIH/5dKaZeQH0Lc8GKAdz6c`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

66d0502b12496_MKna.exe#main "C:\Users\test22\AppData\Local\Temp\66d0502b12496_MKna.exe#main"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 30, 2024, 6:06 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 30, 2024, 6:06 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 30, 2024, 6:06 p.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x76fdf559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x76fdf639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x76f8df95 free+0x39 memcpy-0x43 msvcrt+0x98cd @ 0x760b98cd 66d0502b12496_mkna+0x13a9 @ 0x4013a9 66d0502b12496_mkna+0x115f @ 0x40115f 66d0502b12496_mkna+0x6abc @ 0x406abc exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x76fde667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x76fde653 registers.esp: 1636712 registers.edi: 1637248 registers.eax: 1636728 registers.ebp: 1636832 registers.edx: 0 registers.ebx: 0 registers.esi: 5111808 registers.ecx: 2147483647	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 30, 2024, 6:06 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Packed.7Zip.AI
ClamAV	Win.Malware.7zip-10013374-0
Kaspersky	HEUR:Trojan.Win32.SFX.gen
Rising	Stealer.Agent/SFX!1.F3AF (CLASSIC)
Trapmine	suspicious.low.ml.score
Ikarus	Trojan.Win32.7zip
Microsoft	Trojan:Win32/Wacatac.H!ml
ZoneAlarm	HEUR:Trojan.Win32.SFX.gen
CrowdStrike	win/grayware_confidence_60% (D)