Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 30, 2024, 9:31 a.m.	Sept. 30, 2024, 9:46 a.m.

Size	286.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`151530ff15af8f65a6c601b345ce685e`
SHA256	`ab843a2d0788504a1a035f4624ce03d663bc970aa27ba3290445971dfc332185`
CRC32	`7F06B134`
ssdeep	`6144:Foy8kQ/sEx0e/JwqpTbTtJFfAnGMYfalQilEl4lhFs8VPEG0RFBhxjzg3j/WL:d6xfA+falQrl4lZEG0RrTgTuL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

r.exe "C:\Users\test22\AppData\Local\Temp\r.exe"
1172
- explorer.exe C:\Windows\Explorer.EXE
  1236
- r.exe "C:\Program Files\Radmin\r.exe"
  2100

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 30, 2024, 9:31 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 9:31 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 9:31 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 9:31 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 9:32 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 352256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 450560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 180224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 9:31 a.m.	process_identifier: 2100 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0091a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 30, 2024, 9:31 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 9935740928 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Foreign language identified in PE resource (13 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001d5a0

size

0x00000bb6

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000249d0

size

0x0000019e

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00024e94

size

0x000001a4

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00024e94

size

0x000001a4

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00024e94

size

0x000001a4

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00024e94

size

0x000001a4

name

RT_RCDATA

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00025038

size

0x00000010

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000250cc

size

0x0000033f

Creates executable files on the filesystem (3 events)

file	C:\Program Files\Radmin\r.exe
file	C:\Program Files\Radmin\AdmDll.dll
file	C:\Users\test22\Desktop\¿ªÆôÔ¶³Ì¿ØÖÆ.lnk

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\¿ªÆôÔ¶³Ì¿ØÖÆ.lnk

Drops a binary and executes it (1 event)

file	C:\Program Files\Radmin\r.exe

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Riskware.Win32.RAdmin.1!c
CAT-QuickHeal	Trojan.IGENERICPMF.S2618989
Skyhigh	RemAdm-RemoteAdmin.o
ALYac	Application.Generic.3705174
Cylance	Unsafe
VIPRE	Application.Generic.3705174
Sangfor	PUP.Win32.Remoteadmin.V6wj
CrowdStrike	win/malicious_confidence_70% (W)
BitDefender	Application.Generic.3705174
K7GW	Unwanted-Program ( 00568e2f1 )
K7AntiVirus	Unwanted-Program ( 00568e2f1 )
Arcabit	Application.Generic.D388956
Symantec	PUA.Gen.2
ESET-NOD32	Win32/RemoteAdmin potentially unsafe
Avast	Win32:Radmin-BT [PUP]
Kaspersky	not-a-virus:RemoteAdmin.Win32.RAdmin.tw
Alibaba	RiskWare:Win32/RAdmin.09a8860c
NANO-Antivirus	Riskware.Win32.RAdmin.gbat
MicroWorld-eScan	Application.Generic.3705174
Rising	Trojan.Kryptik@AI.85 (RDML:Yl8zFfv6SInebpeSc3cowA)
Emsisoft	Application.Generic.3705174 (B)
F-Secure	Riskware:W32/RAdmin.B
DrWeb	Program.RemoteAdmin.669
Zillya	Trojan.Yoddos.Win32.536
TrendMicro	HackTool.Win32.Radmin.GZ
McAfeeD	ti!AB843A2D0788
CTX	exe.remote-access-trojan.radmin
Sophos	Generic Reputation PUA (PUA)
FireEye	Generic.mg.151530ff15af8f65
Jiangmin	Packed.PePatch.mll
Google	Detected
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.RAdmin
Kingsoft	malware.kb.a.928
Gridinsoft	Risk.Win32.RemoteAdmin.dd!s1
Xcitium	ApplicUnsaf.Win32.RemoteAdmin@4dyo
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	not-a-virus:RemoteAdmin.Win32.RAdmin.tw
GData	Application.Generic.3705174
Varist	W32/RemoteAdmin.AQIP-3881
McAfee	Artemis!151530FF15AF
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan.RemoteAdmin
Panda	Trj/CI.A
TrendMicro-HouseCall	HackTool.Win32.Radmin.GZ
Yandex	Trojan.RemoteAdmin!8A+sIKpMaNg
MaxSecure	Trojan.Malware.73425783.susgen
Fortinet	Riskware/RAdmin
AVG	Win32:Radmin-BT [PUP]

r.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All