Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 17, 2024, 1:32 p.m.	Sept. 17, 2024, 1:44 p.m.

Size	123.8KB
Type	MS-DOS executable
MD5	`4101b75d5e5fa4b011b571d090ed0501`
SHA256	`0edbf3d32b22b572f8763c00d13ab0c62f7cc654a729fb8a73de31b031a5169b`
CRC32	`A00D2A6B`
ssdeep	`3072:Up8pVnKOlShRr2hot1nliBNvZr4rEn7ZY2kvdG4gz:USpVKRahoX4NvZJnVYU4+`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

10.exe "C:\Users\test22\AppData\Local\Temp\10.exe"
2640

Name	Response	Post-Analysis Lookup
localupdate.ns02.info	A 192.227.134.159	192.227.134.159
LOCALSERVER.ns01.US	A 192.227.134.159	192.227.134.159

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.227.134.159	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:32 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	MEW\x00F\x12\xd2\xc3
section	\x02\xd2u\xdb\x8a\x16\xeb\xd4

The executable uses a known packer (1 event)

packer

MEW 11 SE v1.2 -> Northfox[HCC]

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ed2a', u'virtual_address': u'0x00050000', u'entropy': 7.998393532936735, u'name': u'\\x02\\xd2u\\xdb\\x8a\\x16\\xeb\\xd4', u'virtual_size': u'0x0002d000'}

entropy

7.99839353294

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.NetWire.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Gaobot.cc
ALYac	Gen:Variant.Doris.1046
Cylance	Unsafe
VIPRE	Gen:Variant.Doris.1046
Sangfor	Spyware.Win32.Netwire.Vy9x
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Doris.1046
K7GW	Trojan ( 003c84cb1 )
K7AntiVirus	Trojan ( 003c84cb1 )
Arcabit	Trojan.Doris.D416
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.Weecnaw.P
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Dropper.NetWire-9951935-0
Kaspersky	Trojan.Win32.NetWire.llo
Alibaba	Malware:Win32/km_2ac18.None
NANO-Antivirus	Trojan.Win32.NetWire.jssnyn
MicroWorld-eScan	Gen:Variant.Doris.1046
Rising	Backdoor.NetWire!1.B84F (CLOUD)
Emsisoft	Gen:Variant.Doris.1046 (B)
F-Secure	Trojan.TR/Spy.Gen
DrWeb	BackDoor.Wirenet.576
Zillya	Trojan.Weecnaw.Win32.1045
McAfeeD	Real Protect-LS!4101B75D5E5F
Trapmine	malicious.high.ml.score
CTX	exe.trojan.netwire
Sophos	Mal/EncPk-BA
Ikarus	Backdoor.Win32.SdBot
FireEye	Generic.mg.4101b75d5e5fa4b0
Jiangmin	Trojan.NetWire.agi
Webroot	W32.NetWire
Google	Detected
Avira	TR/Spy.Gen
Antiy-AVL	GrayWare/Win32.Kryptik.pe
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Malware.Win32.Gen.bot!se28865
Xcitium	Packed.Win32.Packer.~GEN@1oh172
Microsoft	Trojan:Win32/NetWire.AP!MTB
ZoneAlarm	Trojan.Win32.NetWire.llo
GData	Gen:Variant.Doris.1046
Varist	W32/ABApplication.NUEN-6765
McAfee	Backdoor.Win.NETWIRE
DeepInstinct	MALICIOUS
VBA32	Trojan.NetWire
Malwarebytes	HackTool.Patcher

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49161
dead_host	192.168.56.101:49166
dead_host	192.227.134.159:1443

10.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All