Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:25 a.m.	Sept. 30, 2024, 12:15 p.m.

Size	646.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`df36f65f0c16573ea07f7658c124b773`
SHA256	`e75adbb14b196a8de8081e563517327ba4a84679379da71bdd3a4f40e6161e98`
CRC32	`7454C8DA`
ssdeep	`12288:Sul6vxhxvVe4zWcYdyIBYvCnqJz44PuqgGvxYy7vaABe9BoS:SF71VT/+CaK442qgGvCy7SAI`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

AQ.exe "C:\Users\test22\AppData\Local\Temp\AQ.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:22 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	L_Faz2
section	L_xiBS

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 11:22 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733e2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x002bd05c

size

0x00000240

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a0e00', u'virtual_address': u'0x0021c000', u'entropy': 7.9994511077830746, u'name': u'L_xiBS', u'virtual_size': u'0x000a1000'}

entropy

7.99945110778

description

A section with a high entropy has been found

entropy

0.996901626646

description

Overall entropy of this PE file is high

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.jc
ALYac	Gen:Variant.Application.Graftor.795801
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Graftor.795801
Sangfor	Trojan.Win32.Agent.Vd07
CrowdStrike	win/malicious_confidence_60% (D)
BitDefender	Gen:Variant.Application.Graftor.795801
Arcabit	Trojan.Application.Graftor.DC2499
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Agent.gen
MicroWorld-eScan	Gen:Variant.Application.Graftor.795801
Rising	Trojan.Agent!8.B1E (CLOUD)
Emsisoft	Application.Generic (A)
F-Secure	Heuristic.HEUR/AGEN.1342695
McAfeeD	Real Protect-LS!DF36F65F0C16
Trapmine	malicious.high.ml.score
CTX	exe.unknown.graftor
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.df36f65f0c16573e
Google	Detected
Avira	HEUR/AGEN.1342695
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	malware.kb.b.963
Gridinsoft	Trojan.Heur!.03212061
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Trojan:Win32/Wacatac.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Agent.gen
GData	Gen:Variant.Application.Graftor.795801
Varist	W32/Trojan.GRW.gen!Eldorado
McAfee	Artemis!DF36F65F0C16
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Blamon
Malwarebytes	PUP.Optional.ChinAd
Ikarus	PUA.BlackMoon
Tencent	Win32.Trojan.Agent.Tsmw
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.ESFJ!tr
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Wacapew.C9nj

AQ.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All