Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 24, 2024, 10:03 a.m.	Oct. 24, 2024, 10:05 a.m.

Size	8.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2d7b09cd5f12fb6a3fc07e269a639051`
SHA256	`ccc9f3d84c2251de94f54d03c62257b21ec7eeef29c16931fae4e06ef367c3fe`
CRC32	`E532084B`
ssdeep	`196608:uRUxISBSxiw0pACjs/V7Uu8qGZRErzqCBa/8bJ225iStHg3:uuhBZyVP8PZREr7azIFt2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ftp_command - ftp command VMProtect_Zero - VMProtect packed file IsPE32 - (no description) UPX_Zero - UPX packed file

LDvar.exe "C:\Users\test22\AppData\Local\Temp\LDvar.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
154.44.26.68	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.vmp0
section	.vmp1

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01850000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01870000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01980000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 24, 2024, 10:03 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x014146a4

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x014146a4

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x014146a4

size

0x00000014

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0086c000', u'virtual_address': u'0x00ba7000', u'entropy': 7.980894484496127, u'name': u'.vmp1', u'virtual_size': u'0x0086bd10'}

entropy

7.9808944845

description

A section with a high entropy has been found

entropy

0.999073215941

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (2 events)

section	.vmp0				description	Section name indicates VMProtect
section	.vmp1				description	Section name indicates VMProtect

Communicates with host for which no DNS query was performed (1 event)

host

154.44.26.68

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

154.44.26.68:80

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Strictor.292817
Cylance	Unsafe
VIPRE	Gen:Variant.Strictor.292817
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Strictor.292817
K7GW	Adware ( 0057c5791 )
K7AntiVirus	Adware ( 0057c5791 )
Arcabit	Trojan.Strictor.D477D1
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/FlyStudio.Packed.AO potentially unwanted
APEX	Malicious
Kaspersky	not-a-virus:VHO:RiskTool.Win32.Convagent.gen
MicroWorld-eScan	Gen:Variant.Strictor.292817
Emsisoft	Gen:Variant.Strictor.292817 (B)
McAfeeD	Real Protect-LS!2D7B09CD5F12
Trapmine	suspicious.low.ml.score
CTX	exe.unknown.strictor
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.2d7b09cd5f12fb6a
Google	Detected
Kingsoft	malware.kb.b.862
Xcitium	TrojWare.Win32.Agent.ISVQ@5mbonp
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	not-a-virus:VHO:RiskTool.Win32.Convagent.gen
GData	Gen:Variant.Strictor.292817
Varist	W32/FlyStudio.W.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.2969918925
Ikarus	Trojan.Win32.Krypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.DLII!tr

LDvar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All