Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 5, 2024, 3:26 p.m.	Sept. 5, 2024, 3:27 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`87953bdf18ba88061cf28ad17116b56f`
SHA256	`9ad06b0e000800a33d381949658dbd0bfd7c7f1025aa5c81621b55f2f69a7a3f`
CRC32	`11C6E517`
ssdeep	`49152:q2B3FBfJXAEYFutJhzl6NNd5b6tvkn0dqw6CK24/L6W:q2B3FBfKEWocx+40+bTj`
PDB Path	D:\Projects\WinRAR\sfx\setup\build\sfxrar32\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

data64_6.exe "C:\Users\test22\AppData\Local\Temp\data64_6.exe"
2552
- regsvr32.exe "C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K
  2700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\setup\build\sfxrar32\Release\sfxrar.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73332000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 913408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2cde0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 913408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2dc40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 753664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2dd80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 765952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2de40000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2024, 3:26 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00061000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	regsvr32 /U /S V8NgH.K
cmdline	"C:\Windows\System32\regsvr32.exe" /U /S V8NgH.K

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\v8NgH.K

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00027000', u'virtual_address': u'0x00066000', u'entropy': 7.763971067089891, u'name': u'.rsrc', u'virtual_size': u'0x00026eb8'}

entropy

7.76397106709

description

A section with a high entropy has been found

entropy

0.375

description

Overall entropy of this PE file is high

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2552 resumed a thread in remote process 2700
NtResumeThread Sept. 5, 2024, 3:26 p.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2700	1	0	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Trojan.GenericKD.49061858
CAT-QuickHeal	Trojan.Qshell
ALYac	Trojan.GenericKD.49061858
Cylance	Unsafe
Paloalto	generic.ml
Sangfor	Trojan.Win32.Agent.aa
K7AntiVirus	Riskware ( 0040eff71 )
BitDefender	Trojan.GenericKD.49061858
K7GW	Riskware ( 0040eff71 )
Arcabit	Trojan.Generic.D2EC9FE2
Cyren	W32/ABTrojan.KBGH-3290
ESET-NOD32	a variant of Win32/Injector.ERRT
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Uztuby-9951918-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	Trojan:Win32/Qakbot.ae228048
MicroWorld-eScan	Trojan.GenericKD.49061858
Ad-Aware	Trojan.GenericKD.49061858
Emsisoft	Trojan.GenericKD.49061858 (B)
Comodo	Malware@#38nu78dxwzs3d
TrendMicro	TROJ_GEN.R01FC0DET22
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Injector
Avira	HEUR/AGEN.1249137
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.AI.cl
Microsoft	Trojan:Win32/Qakbot.PMH!MTB
GData	Trojan.GenericKD.49061858
AhnLab-V3	Malware/Win.Runner.C4814559
McAfee	Artemis!87953BDF18BA
VBA32	Trojan.Qakbot
Malwarebytes	Malware.AI.2104200805
TrendMicro-HouseCall	TROJ_GEN.R01FC0DET22
Tencent	Win32.Trojan.Qshell.Ebqr
MAX	malware (ai score=80)
MaxSecure	Trojan.Malware.1728101.susgen
AVG	Win32:Malware-gen
Panda	Trj/Genetic.gen
CrowdStrike	win/malicious_confidence_100% (W)

data64_6.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All