Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 17, 2024, 1:32 p.m.	Sept. 17, 2024, 2:01 p.m.

Size	123.9KB
Type	MS-DOS executable
MD5	`adc4317ced6ff9de7e8b5fc1f60b380a`
SHA256	`934f956a1d2dda18dd41936e1501ce338651986c370594eb67a1c74d759990eb`
CRC32	`F9808F01`
ssdeep	`3072:6lWXBDp575Ptx4WR59bhpRi3nFsoomZjHbCRFcilcU8C3y2bfvXh:npzlxjXrR4s76T2RxlcUAGfvXh`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

1.exe "C:\Users\test22\AppData\Local\Temp\1.exe"
2556

Name	Response	Post-Analysis Lookup
localupdate.ns02.info	A 192.227.134.159	192.227.134.159
LOCALSERVER.ns01.US	A 192.227.134.159	192.227.134.159

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.227.134.159	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 17, 2024, 1:32 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	MEW\x00F\x12\xd2\xc3
section	\x02\xd2u\xdb\x8a\x16\xeb\xd4

The executable uses a known packer (1 event)

packer

MEW 11 SE v1.2 -> Northfox[HCC]

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001eda9', u'virtual_address': u'0x00051000', u'entropy': 7.998512779464746, u'name': u'\\x02\\xd2u\\xdb\\x8a\\x16\\xeb\\xd4', u'virtual_size': u'0x0002d000'}

entropy

7.99851277946

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.NetWire.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Gaobot.cc
ALYac	Gen:Variant.Doris.1046
Cylance	Unsafe
VIPRE	Gen:Variant.Doris.1046
Sangfor	Spyware.Win32.Netwire.Vfkh
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Doris.1046
K7GW	Trojan ( 003c84cb1 )
K7AntiVirus	Trojan ( 003c84cb1 )
Arcabit	Trojan.Doris.D416
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.Weecnaw.P
Avast	Win32:Trojan-gen
ClamAV	Win.Dropper.NetWire-9951935-0
Kaspersky	Trojan.Win32.NetWire.llp
Alibaba	Malware:Win32/km_2ac18.None
NANO-Antivirus	Trojan.Win32.NetWire.jowrpa
MicroWorld-eScan	Gen:Variant.Doris.1046
Rising	Backdoor.NetWire!1.B84F (CLOUD)
Emsisoft	Gen:Variant.Doris.1046 (B)
F-Secure	Trojan.TR/Spy.Gen
DrWeb	Trojan.MulDrop20.4281
Zillya	Trojan.Weecnaw.Win32.1000
TrendMicro	TROJ_GEN.R002C0DIF24
McAfeeD	Real Protect-LS!ADC4317CED6F
Trapmine	malicious.high.ml.score
CTX	exe.trojan.netwire
Sophos	Mal/EncPk-BA
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.adc4317ced6ff9de
Jiangmin	Trojan.NetWire.aey
Webroot	Trojan.Dropper.Gen
Google	Detected
Avira	TR/Spy.Gen
Antiy-AVL	GrayWare/Win32.Kryptik.pe
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Win32.Gen.tr
Xcitium	Packed.Win32.Packer.~GEN@1oh172
Microsoft	Backdoor:Win32/Netwire.GG!MTB
ZoneAlarm	Trojan.Win32.NetWire.llp
GData	Gen:Variant.Doris.1046
Varist	W32/ABTrojan.SEEL-6405
McAfee	Artemis!ADC4317CED6F
DeepInstinct	MALICIOUS
VBA32	Trojan.NetWiredRC
Malwarebytes	HackTool.Patcher

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49161
dead_host	192.227.134.159:1443

1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All