Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 3, 2024, 9:02 a.m.	Sept. 3, 2024, 9:08 a.m.

Size	33.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a7878575f2e9f431c354c17a3e768fd9`
SHA256	`375552e53a0c25aa36cd66827b97f7576177d1fa81efd978a55b2ec93a5b5fdd`
CRC32	`3D3335E3`
ssdeep	`768:JDgPyko/W1zzJviFbXaj3cLnOTyY8nVj4:JDPko/6uaj3crtVj4`
PDB Path	C:\Users\User_2\Documents\GitHub\Youtube-Viewers\Youtube-Viewers\obj\Debug\Youtube-Viewers.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Youtube-Viewers.exe "C:\Users\test22\AppData\Local\Temp\Youtube-Viewers.exe"
496

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 3, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 3, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Sept. 3, 2024, 9:02 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Sept. 3, 2024, 9:02 a.m.	buffer: Unhandled Exception: console_handle: 0x0000000b	1	1	0
WriteConsoleA Sept. 3, 2024, 9:02 a.m.	buffer: System.IO.FileNotFoundException: Could not load file or assembly 'Leaf.xNet, Version=5.2.10.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified. console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\User_2\Documents\GitHub\Youtube-Viewers\Youtube-Viewers\obj\Debug\Youtube-Viewers.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 3, 2024, 9:02 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 3, 2024, 9:02 a.m.	process_identifier: 496 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00003c00', u'virtual_address': u'0x00008000', u'entropy': 7.738959723134562, u'name': u'.rsrc', u'virtual_size': u'0x00003b6c'}

entropy

7.73895972313

description

A section with a high entropy has been found

entropy

0.461538461538

description

Overall entropy of this PE file is high

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Hacktool.Win32.BruteForce.3!c
Elastic	malicious (moderate confidence)
CAT-QuickHeal	PUA.BruteforceFC.S20327855
Skyhigh	RDN/Generic PUP.z
Cylance	Unsafe
Sangfor	Hacktool.Win32.Bruteforce.V2uj
K7AntiVirus	Hacktool ( 005787ef1 )
K7GW	Hacktool ( 005787ef1 )
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/HackTool.BruteForce.AGA
APEX	Malicious
McAfee	RDN/Generic PUP.z
Avast	Win32:MalwareX-gen [Trj]
Alibaba	Trojan:MSIL/MalwareX.78afdcb6
Rising	HackTool.BruteForce!8.762 (CLOUD)
Zillya	Tool.BruteForce.Win32.4860
McAfeeD	ti!375552E53A0C
SentinelOne	Static AI - Suspicious PE
Google	Detected
Antiy-AVL	HackTool/MSIL.BruteForce
Microsoft	Trojan:Win32/Zpevdo.B
Varist	W32/MSIL_Hacktool.F.gen!Eldorado
BitDefenderTheta	Gen:NN.ZemsilCO.36812.cm0@aekFiHj
DeepInstinct	MALICIOUS
Malwarebytes	HackTool.BruteForce
Yandex	Riskware.BruteForce!0JNUN3a4zb8
huorong	Trojan/MSIL.Agent.bn
MaxSecure	Trojan.Malware.116369487.susgen
Fortinet	MSIL/BruteForce.AGA!tr
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)
alibabacloud	HackTool:MSIL/Bruteforce.AGA

Youtube-Viewers.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All