Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 20, 2024, 9:10 a.m.	Oct. 20, 2024, 9:47 a.m.

Size	660.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a14185fafc1a0a433752a75c0b8ce15d`
SHA256	`970fde28edb741dca6f838f55ad56fb4d614f6f7dd6beab25137f5f6535ad81c`
CRC32	`BBC0889C`
ssdeep	`12288:iBSOEvY6xJk2GcHCuXFb7pDdBaKFJKa1xZ+sOY2mDCE5ktP/wPwr9UlaE4N:ZvY6xrGciqbdjaKFJKaHZ2YZDCES/frT`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

cain2.0_win9x.exe "C:\Users\test22\AppData\Local\Temp\cain2.0_win9x.exe"
2636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 20, 2024, 9:10 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2024, 9:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73341000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73304000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10021000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2024, 9:10 a.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02834000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\GL_F3F5.EXE

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Lionic	Riskware.Win32.Cain.1!c
Cynet	Malicious (score: 99)
Skyhigh	Generic PUP.g
ALYac	Misc.HackTool.CainAbel
Cylance	Unsafe
VIPRE	Application.Pwcrack.Cain.GQ
BitDefender	Application.Pwcrack.Cain.GQ
K7GW	Riskware ( 0040eff71 )
K7AntiVirus	Riskware ( 0040eff71 )
Arcabit	Application.Pwcrack.Cain.GQ
VirIT	PSWTool.Win32.Cain.a. Nessuna a
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/CainAbel.AC potentially unsafe
Avast	Win32:PUP-gen [PUP]
Kaspersky	not-a-virus:PSWTool.Win32.Cain.20
NANO-Antivirus	Riskware.Win32.Cain.hrrt
MicroWorld-eScan	Application.Pwcrack.Cain.GQ
Rising	Trojan.Generic (CLOUD)
Emsisoft	Application.Pwcrack.Cain.GQ (B)
F-Secure	Backdoor.BDS/Cain.2.0
DrWeb	Trojan.Cain
TrendMicro	TROJ_SPNR.03J313
McAfeeD	ti!970FDE28EDB7
CTX	exe.trojan.cain
Sophos	Troj/Cain-20
FireEye	Application.Pwcrack.Cain.GQ
Jiangmin	PSWTool.Cain.c
Webroot	W32.Hack.Tool
Google	Detected
Avira	BDS/Cain.2.0
Kingsoft	Win32.PSWTroj.Undef.a
Xcitium	Malware@#1r0rynemlcwd0
Microsoft	HackTool:Win32/Cain
ViRobot	PSWTool.Cain.676652.A
ZoneAlarm	not-a-virus:PSWTool.Win32.Cain.20
GData	Application.Pwcrack.Cain.GQ
Varist	W32/Tool.PSCW-7516
McAfee	Generic PUP.g
TACHYON	Abuse-Worry/W32.Cain.676652
DeepInstinct	MALICIOUS
Malwarebytes	HackTool.Cain
Ikarus	PSWTool.Cain
TrendMicro-HouseCall	TROJ_SPNR.03J313
Tencent	Malware.Win32.Gencirc.10bf05a4
Yandex	Riskware.PSWTool!i0zephSGxB8
MaxSecure	Trojan.Malware.1328860.susgen
AVG	Win32:PUP-gen [PUP]
alibabacloud	Trojan[stealer]:Win/Cain.GR

cain2.0_win9x.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All