Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:25 a.m.	Sept. 30, 2024, 11:53 a.m.

Size	1.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a683a263949c7443317f3dffacf4cb94`
SHA256	`29773d46780b62c359f71fcacf0dc38a17828b411572f203082a426cffeba0b2`
CRC32	`AA32B9AA`
ssdeep	`24576:i4Zxqy4TVxdlhXZhlKuTTAFt/bqNd3ragFcB3J:imd4Zxdlh/EJH/m3rd+L`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

A240084721.exe "C:\Users\test22\AppData\Local\Temp\A240084721.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	L_hhYd
section	L_E0sM

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 11:22 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73452000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x003d705c

size

0x00000240

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00101a00', u'virtual_address': u'0x002d5000', u'entropy': 7.999678195381775, u'name': u'L_E0sM', u'virtual_size': u'0x00102000'}

entropy

7.99967819538

description

A section with a high entropy has been found

entropy

0.998062953995

description

Overall entropy of this PE file is high

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.4!c
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Application.Graftor.795801
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Graftor.795801
Sangfor	Trojan.Win32.Blackmoon.Vuev
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Application.Graftor.795801
K7GW	Trojan ( 005930da1 )
K7AntiVirus	Trojan ( 005930da1 )
Arcabit	Trojan.Application.Graftor.DC2499
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
Avast	Win32:Agent-BCLE [Trj]
Kaspersky	HEUR:Trojan.Win32.Agent.gen
Alibaba	Trojan:Win32/BlackMoon.4b3362b4
MicroWorld-eScan	Gen:Variant.Application.Graftor.795801
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Application.Generic (A)
F-Secure	Heuristic.HEUR/AGEN.1342695
DrWeb	Tool.Inject.78
TrendMicro	TrojanSpy.Win32.BLACKMOON.YXEI2Z
McAfeeD	Real Protect-LS!A683A263949C
Trapmine	malicious.high.ml.score
CTX	exe.trojan.blackmoon
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.a683a263949c7443
Google	Detected
Avira	HEUR/AGEN.1342695
Antiy-AVL	Trojan/Win32.CobaltStrike.a
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Win32.BlackMoon.tr
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Trojan:Win32/CryptInject!rfn
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Gen:Variant.Application.Graftor.795801
Varist	W32/Trojan.GRW.gen!Eldorado
McAfee	Artemis!A683A263949C
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Blamon
Malwarebytes	PUP.Optional.ChinAd
Ikarus	PUA.BlackMoon
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEI2Z
Tencent	HackTool.Win64.KernelDrUtil.16000463
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.ESFJ!tr

A240084721.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All