popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

random.exe

Emotet Gen1 Generic Malware Malicious Library Antivirus UPX Malicious Packer Admin Tool (Sysinternals etc ...) Anti_VM PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 26, 2024, 11:09 a.m. Oct. 26, 2024, 11:13 a.m.
Size 2.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 17f5a1ae03a0ff4eb038527de02e8860
SHA256 6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f
CRC32 A572CFB8
ssdeep 49152:VIfX6Rm0EkHbG+tw6NbHHBp7k5hhelN6YawnqzKwgVRD:VI/PYwYt5ShAiYawvw2
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
geo.netsupportsoftware.com 104.26.1.231
IP Address Status Action
164.124.101.2 Active Moloch
185.215.113.67 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .gfids
resource name PNG
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733a2000
process_handle: 0xffffffff
1 0 0
description bild.exe tried to sleep 253 seconds, actually delayed analysis time by 253 seconds
file C:\Users\Public\Pictures\pcicapi.dll
file C:\Users\Public\Pictures\HTCTL32.DLL
file C:\Users\Public\Pictures\msvcr100.dll
file C:\Users\Public\Pictures\PCICHEK.DLL
file C:\Users\Public\Pictures\PCICL32.DLL
file C:\Users\Public\Pictures\remcmdstub.exe
file C:\Users\Public\Pictures\TCCTL32.DLL
file C:\Users\Public\Pictures\bild.exe
Time & API Arguments Status Return Repeated

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: client32.ini
filepath: C:\Users\Public\Pictures\client32.ini
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: HTCTL32.DLL
filepath: C:\Users\Public\Pictures\HTCTL32.DLL
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: msvcr100.dll
filepath: C:\Users\Public\Pictures\msvcr100.dll
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: nskbfltr.inf
filepath: C:\Users\Public\Pictures\nskbfltr.inf
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: NSM.LIC
filepath: C:\Users\Public\Pictures\NSM.LIC
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: pcicapi.dll
filepath: C:\Users\Public\Pictures\pcicapi.dll
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: PCICHEK.DLL
filepath: C:\Users\Public\Pictures\PCICHEK.DLL
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: PCICL32.DLL
filepath: C:\Users\Public\Pictures\PCICL32.DLL
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: remcmdstub.exe
filepath: C:\Users\Public\Pictures\remcmdstub.exe
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: TCCTL32.DLL
filepath: C:\Users\Public\Pictures\TCCTL32.DLL
1 1 0
file C:\Users\Public\Pictures\bild.exe
wmi SELECT * FROM Win32_SystemEnclosure
wmi SELECT * FROM Win32_ComputerSystem
section {u'size_of_data': u'0x0000e200', u'virtual_address': u'0x0005d000', u'entropy': 6.802287495720708, u'name': u'.rsrc', u'virtual_size': u'0x0000e034'} entropy 6.80228749572 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3F709462-4AD7-482F-8761-C6ED6AD145A1}
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C412F191-BB15-4e40-9CCC-97E571D2C6BF}
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{787DFE02-CC6C-4AAC-B455-166BBEE4C5AF}
2 0
wmi SELECT * FROM Win32_ComputerSystem
host 185.215.113.67
dead_host 185.215.113.67:443
Bkav W32.AIDetectMalware
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.vc
ALYac Application.RemoteAdmin.NetSupport.A
Cylance Unsafe
VIPRE Application.RemoteAdmin.NetSupport.A
BitDefender Application.RemoteAdmin.NetSupport.A
K7GW Unwanted-Program ( 005b7e0c1 )
K7AntiVirus Unwanted-Program ( 005b7e0c1 )
Arcabit Application.RemoteAdmin.NetSupport.A
VirIT Backdoor.Win32.RMS.FX
Elastic malicious (moderate confidence)
ESET-NOD32 multiple detections
APEX Malicious
ClamAV Win.Trojan.DarkKomet-10027799-0
Kaspersky not-a-virus:RemoteAdmin.Win32.NetSup.i
MicroWorld-eScan Application.RemoteAdmin.NetSupport.A
Rising Hacktool.NetSup!8.13A97 (CLOUD)
Emsisoft Application.RemoteAdmin.NetSupport.A (B)
F-Secure Trojan:W32/RARSfx.B
DrWeb BackDoor.RMS.153
CTX exe.remote-access-trojan.netsupport
Sophos Generic ML PUA (PUA)
FireEye Generic.mg.17f5a1ae03a0ff4e
Antiy-AVL RiskWare[RemoteAdmin]/Win32.NetSup
Kingsoft malware.kb.a.922
Gridinsoft Risk.Win32.Gen.cl
Xcitium ApplicUnwnt@#3tkoudphjgdqt
Microsoft Trojan:Win32/Caynamer.A!ml
ZoneAlarm not-a-virus:RemoteAdmin.Win32.NetSup.i
GData Application.RemoteAdmin.NetSupport.A
Varist W32/S-8ed38c1a!Eldorado
DeepInstinct MALICIOUS
VBA32 Trojan.Tiggre
Malwarebytes RiskWare.NetSupport.RAT
Ikarus PUA.Monitortool
Yandex Riskware.RemoteAdmin!myez5VmqQPE
huorong Trojan/NetSupportManager.a
Fortinet Riskware/NetSup