Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 17, 2024, 1:33 p.m.	Sept. 17, 2024, 1:46 p.m.

Size	355.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8da6d3f4326ca248d0a99d21d2d8b135`
SHA256	`95897f8814e4c651671799af51c40fbe0a2334827683c82640627e270c57d9d7`
CRC32	`307801EE`
ssdeep	`6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfq1sb:gf2R/EEkCQFYDwRqa`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

upd.exe "C:\Users\test22\AppData\Local\Temp\upd.exe"
1280

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.131.99.108	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.textbss

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778e6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 17, 2024, 1:33 p.m.	process_identifier: 1280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4132864 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097f000 process_handle: 0xffffffff	1

Communicates with host for which no DNS query was performed (1 event)

host

94.131.99.108

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zbot.lx9X
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Rhadaman.S33183739
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Zusy.537695
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.537695
Sangfor	Infostealer.Win32.Rhadamanthys.Vtir
BitDefender	Gen:Variant.Zusy.537695
K7GW	Riskware ( 00584baa1 )
K7AntiVirus	Riskware ( 00584baa1 )
Arcabit	Trojan.Zusy.D8345F
VirIT	Trojan.Win32.GenusT.DVAD
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HXAU
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Zusy-10024420-0
Kaspersky	HEUR:Trojan.Win32.Strab.gen
Alibaba	Trojan:Win32/Rhadamanthys.1198a1a8
SUPERAntiSpyware	Trojan.Agent/Gen-Crypt
MicroWorld-eScan	Gen:Variant.Zusy.537695
Rising	Trojan.Rhadamanthys!8.178A1 (TFE:1:EE65rmTGwTO)
Emsisoft	Gen:Variant.Zusy.537695 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	Trojan.PWS.Siggen3.36250
Zillya	Trojan.KryptikAGen.Win32.123793
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXEIOZ
McAfeeD	ti!95897F8814E4
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.rhadamanthys
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Generic.mg.8da6d3f4326ca248
Jiangmin	Trojan.Strab.cnp
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan/Win32.Strab
Kingsoft	malware.kb.a.991
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:Win32/Rhadamanthys.ESAA!MTB
ViRobot	Trojan.Win.Z.Zusy.363520.AP
ZoneAlarm	HEUR:Trojan.Win32.Strab.gen
GData	Gen:Variant.Zusy.537695
Varist	W32/Kryptik.LSA.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R637359
McAfee	Artemis!8DA6D3F4326C
TACHYON	Trojan/W32.Strab.363520

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (13 events)

dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49170
dead_host	192.168.56.103:49163
dead_host	192.168.56.103:49173
dead_host	94.131.99.108:8899
dead_host	192.168.56.103:49172
dead_host	192.168.56.103:49175
dead_host	192.168.56.103:49165
dead_host	192.168.56.103:49174
dead_host	192.168.56.103:49169
dead_host	192.168.56.103:49167
dead_host	192.168.56.103:49168
dead_host	192.168.56.103:49166

upd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All