Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 14, 2024, 10:35 a.m.	Oct. 14, 2024, 10:37 a.m.

Size	822.0KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`497ea5f145901f80028099cb40f92def`
SHA256	`ad541c4b251600a52fb80d6167e2071328b4c83030914ee19646528b0570c0dd`
CRC32	`3E5E31C7`
ssdeep	`24576:joS2T15eHOOKZj9/KP+wk9EUhmO70anqqfavJ6Ui63tU+Q:ES2TftZFE+wRemO70aqq4Ti6dFQ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) UPX_Zero - UPX packed file

Secret_Weapon.exe "C:\Users\test22\AppData\Local\Temp\Secret_Weapon.exe"
2068
cmd.exe C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
2208
chcp.com chcp 65001
2288
mode.com mode 103,5
2336

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 14, 2024, 10:35 a.m.	buffer: Active code page: 65001 console_handle: 0x0000000000000013	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.code

The executable uses a known packer (1 event)

packer

PureBasic 4.x -> Neil Hodgson

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\C29F.tmp\C2A0.tmp\C2B1.bat

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.111835561466392, u'name': u'.rdata', u'virtual_size': u'0x000033a5'}

entropy

7.11183556147

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x000b7a00', u'virtual_address': u'0x00019000', u'entropy': 7.999530614224543, u'name': u'.rsrc', u'virtual_size': u'0x000b7998'}

entropy

7.99953061422

description

A section with a high entropy has been found

entropy

0.910475030451

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\C29F.tmp\C2A0.tmp\C2B1.bat C:\Users\test22\AppData\Local\Temp\Secret_Weapon.exe"

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\C29F.tmp
file	C:\Users\test22\AppData\Local\Temp\C29F.tmp\C2A0.tmp

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.cc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	BAT/HackTool.Agent.CL potentially unsafe
McAfee	GenericRXWO-ZS!497EA5F14590
Rising	Hacktool.Agent/BAT!8.13765 (CLOUD)
McAfeeD	Real Protect-LS!497EA5F14590
FireEye	Generic.mg.497ea5f145901f80
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Varist	W32/ABRisk.MWXI-6748
BitDefenderTheta	Gen:NN.ZexaF.36812.ZuW@a4Ydool
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32
MaxSecure	Trojan.Malware.300983.susgen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	HackTool:Win/Agent.CE

Secret_Weapon.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All