Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 5, 2024, 10:54 a.m.	Sept. 5, 2024, 10:57 a.m.

Size	3.7MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`68ebcc4ad727c077aeb5cc60b868e304`
SHA256	`d83c67e9aac5d88da1c30ab4d05bb0ad08358532d298e8cf60b9d8798c262ce4`
CRC32	`FC3A84BE`
ssdeep	`49152:3JawLbHv2lgbLsuyYHlt8Ui4fhn5IjD0iCT:3XbH573t8aZ5`
PDB Path	premium_gitrep.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66d59ef9d4404_premium.exe#upus "C:\Users\test22\AppData\Local\Temp\66d59ef9d4404_premium.exe#upus"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 5, 2024, 10:54 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 5, 2024, 10:54 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 5, 2024, 10:54 a.m.			0	0
IsDebuggerPresent Sept. 5, 2024, 10:54 a.m.			0	0
IsDebuggerPresent Sept. 5, 2024, 10:54 a.m.			0	0
IsDebuggerPresent Sept. 5, 2024, 10:54 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

premium_gitrep.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 5, 2024, 10:54 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.sdata

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

DATA

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00785000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0078b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 10:54 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0029e000', u'virtual_address': u'0x00002000', u'entropy': 7.280975784948719, u'name': u'.text', u'virtual_size': u'0x0029dfa4'}

entropy

7.28097578495

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0010de00', u'virtual_address': u'0x002a2000', u'entropy': 6.915110040621858, u'name': u'.rsrc', u'virtual_size': u'0x0010dd08'}

entropy

6.91511004062

description

A section with a high entropy has been found

entropy

0.999734077915

description

Overall entropy of this PE file is high

File has been identified by 46 AntiVirus engines on VirusTotal as malicious (46 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Crypt.4!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.74002980
VIPRE	Trojan.GenericKD.74002940
Sangfor	Trojan.Msil.Kryptik.Va7p
K7AntiVirus	Trojan ( 005b6e851 )
BitDefender	Trojan.GenericKD.74002940
K7GW	Trojan ( 005b6e851 )
Arcabit	Trojan.Generic.D46931FC
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.ALTN
APEX	Malicious
McAfee	Artemis!68EBCC4AD727
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Packed.Malwarex-10033462-0
Kaspersky	HEUR:Trojan.MSIL.Crypt.gen
Alibaba	Trojan:MSIL/Kryptik.7177d255
MicroWorld-eScan	Trojan.GenericKD.74002940
Rising	Malware.Obfus/MSIL@AI.89 (RDM.MSIL2:5o9jgZVb81r2HZl24jv8Eg)
Emsisoft	Trojan.GenericKD.74002940 (B)
F-Secure	Trojan.TR/AVI.Lumma.twazv
TrendMicro	TrojanSpy.Win32.LUMMASTEALER.YXEICZ
McAfeeD	ti!D83C67E9AAC5
FireEye	Generic.mg.68ebcc4ad727c077
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/AVI.Lumma.twazv
MAX	malware (ai score=81)
Kingsoft	MSIL.Trojan.Crypt.gen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.MSIL.Crypt.gen
GData	Trojan.GenericKD.74002940
BitDefenderTheta	Gen:NN.ZemsilCO.36812.Rt0@aG8LV7kc
DeepInstinct	MALICIOUS
Ikarus	Trojan.MSIL.Crypt
TrendMicro-HouseCall	TrojanSpy.Win32.LUMMASTEALER.YXEICZ
Tencent	Msil.Trojan.Crypt.Yimw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.ALTN!tr
AVG	Win32:MalwareX-gen [Trj]
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	Trojan:MSIL/Kryptik.AEBB

66d59ef9d4404_premium.exe#upus

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All