Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:25 a.m.	Sept. 30, 2024, 11:44 a.m.

Size	317.0KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`48b59bd4c9219cc6f4bca6a45642dcbd`
SHA256	`0411c3152398d2ce23e4bf07868adf49a5d24fe27558cbd92fb8fcb787b926de`
CRC32	`4AA40B1B`
ssdeep	`6144:1ZGJnK41dgy48a2905kAfUMsFKGu22WFYzbUXZ+N:1ZpAdgy6kJMsHoWS4X0`
PDB Path	c:\rje\tg\k\obj\Release\ojc.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

66f6dac63154d_crypted.exe "C:\Users\test22\AppData\Local\Temp\66f6dac63154d_crypted.exe"
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 30, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 30, 2024, 11:21 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 11:21 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:21 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:21 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:21 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Sept. 30, 2024, 11:21 a.m.	buffer: System.MissingMethodException: ???? ?? ? ????. '!!0 System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr)' ??: GCM.Program.Main(String[] args) console_handle: 0x0000000b	1	1	0

This executable has a PDB path (1 event)

pdb_path

c:\rje\tg\k\obj\Release\ojc.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:21 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:21 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004ea00', u'virtual_address': u'0x00002000', u'entropy': 7.994101274971393, u'name': u'.text', u'virtual_size': u'0x0004e884'}

entropy

7.99410127497

description

A section with a high entropy has been found

entropy

0.993680884676

description

Overall entropy of this PE file is high

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealc.4!c
Skyhigh	BehavesLike.Win32.AdwareFiseria.fc
ALYac	Trojan.GenericKD.74209703
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74209703
Sangfor	Trojan.Msil.Kryptik.V3rz
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.GenericKD.74209703
K7GW	Trojan ( 700000121 )
K7AntiVirus	Trojan ( 700000121 )
Arcabit	Trojan.Generic.D46C59A7
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.HCCC
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Msilzilla-10036350-0
Alibaba	Trojan:MSIL/GenKryptik.eaedaf0c
MicroWorld-eScan	Trojan.GenericKD.74209703
Rising	Malware.Obfus/MSIL@AI.98 (RDM.MSIL2:FliFX7b969mzxE1+QmX6+g)
Emsisoft	Trojan.GenericKD.74209703 (B)
F-Secure	Trojan.TR/AD.Stealc.yqazj
TrendMicro	TrojanSpy.Win32.STEALC.YXEI2Z
McAfeeD	ti!0411C3152398
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.msil
Sophos	Mal/MSIL-WA
Ikarus	Trojan-Spy.LummaStealer
FireEye	Generic.mg.48b59bd4c9219cc6
Webroot	W32.Innfostealer.Vidar
Google	Detected
Avira	TR/AD.Stealc.yqazj
Kingsoft	MSIL.Trojan-PSW.Stealerc.gen
Gridinsoft	Malware.Win32.Stealc.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Trojan.GenericKD.74209703
Varist	W32/MSIL_Agent.IRB.gen!Eldorado
AhnLab-V3	Malware/Win.Generic.C5675682
McAfee	Artemis!48B59BD4C921
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Crypt.MSIL
TrendMicro-HouseCall	TrojanSpy.Win32.STEALC.YXEI2Z
Tencent	Msil.Trojan-QQPass.QQRob.Ozfl
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/GenKryptik.HCCC!tr
AVG	Win32:PWSX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan[stealer]:MSIL/Stealerc.gyf

66f6dac63154d_crypted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All