Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 4, 2024, 9:37 a.m.	Sept. 4, 2024, 9:39 a.m.

Size	561.2KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`727d942e4c26b713b9498e8997fabf38`
SHA256	`9a312f6d3a5c24f60e7c5c54c3933424a3274a6ba84b03be4bf75f17aa297a93`
CRC32	`9D41EBF9`
ssdeep	`6144:dvMtLmAKS+bKnkT2Run2qKVuIiEfHy1ivop5B6HSTj+m6mogOKPetND2orSiMW:d0UWZkqI2d85kQsmS+BmqW`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) UPX_Zero - UPX packed file

2.exe "C:\Users\test22\AppData\Local\Temp\2.exe"
1664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
121.41.54.103	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 4, 2024, 9:30 a.m.	stacktrace: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 @ 0x7706a404 0x5b01fe 0x7fffffdf250 0x38ec78 0x38ecb0 0x5b01fe 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64 exception.instruction_r: 4e 54 44 4c 4c 2e 52 74 6c 45 78 69 74 55 73 65 exception.symbol: EnterCriticalSection+0x1e ExitThread-0x19 kernel32+0xaa404 exception.instruction: push rsp exception.module: kernel32.dll exception.exception_code: 0xc0000005 exception.offset: 697348 exception.address: 0x7706a404 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 2003900256 registers.r10: 5964286 registers.rbx: 2003905312 registers.rsp: 3731816 registers.r11: 514 registers.r8: 3730552 registers.r9: 3730608 registers.rdx: 8796092887632 registers.r12: 3732240 registers.rbp: 5963786 registers.rdi: 100 registers.rax: 1996923908 registers.r13: 3732248	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2024, 9:30 a.m.	process_identifier: 1664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 17179873280 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00000000005b0000 process_handle: 0xffffffffffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

121.41.54.103

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Dump.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	Artemis!Trojan
ALYac	Dump:Generic.ShellCode.Marte.4.CD70048F
Cylance	Unsafe
VIPRE	Dump:Generic.ShellCode.Marte.4.CD70048F
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005b495c1 )
BitDefender	Dump:Generic.ShellCode.Marte.4.CD70048F
K7GW	Trojan ( 005b495c1 )
Cybereason	malicious.e4c26b
Arcabit	Dump:Generic.ShellCode.Marte.4.CD70048F
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win64/Agent.DST
APEX	Malicious
McAfee	Artemis!727D942E4C26
Avast	Win64:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.Shelm.aoig
NANO-Antivirus	Trojan.Win64.Meterpreter.knzqsi
MicroWorld-eScan	Dump:Generic.ShellCode.Marte.4.CD70048F
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Dump:Generic.ShellCode.Marte.4.CD70048F (B)
F-Secure	Trojan.TR/Agent.ovcfn
DrWeb	BackDoor.Meterpreter.240
Zillya	Trojan.Agent.Win64.54271
TrendMicro	Backdoor.Win64.SWRORT.YXEFAZ
McAfeeD	ti!9A312F6D3A5C
FireEye	Generic.mg.727d942e4c26b713
Sophos	Mal/Generic-S
Google	Detected
Avira	TR/Agent.ovcfn
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Shelm
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win64/Meterpreter.B
ViRobot	Trojan.Win.Z.Agent.574680
ZoneAlarm	Trojan.Win32.Shelm.aoig
GData	Dump:Generic.ShellCode.Marte.4.CD70048F
Varist	W64/ABTrojan.XANZ-0641
AhnLab-V3	Trojan/Win.Generic.R633197
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.4236864457
Ikarus	Trojan.Win64.Crypt
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win64.SWRORT.YXEFAZ
Tencent	Malware.Win32.Gencirc.14155cc0
Yandex	Trojan.Shelm!GUXR2vUI3S4
huorong	HVM:Backdoor/Lotok.r

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	121.41.54.103:6666
dead_host	192.168.56.103:49161

2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All