Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 27, 2024, 11:44 a.m.	Oct. 27, 2024, 12:06 p.m.

Size	694.0KB
Type	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5	`1af918875c67d204941ec2c8a780e312`
SHA256	`3621c6a555e79fd6640b3073b245d4e3b225d7a73403e2529d13a82a2b228c7f`
CRC32	`2898C4BE`
ssdeep	`12288:x/uVxEZsd6Rq8sQ1M7dKHB8u4EqcJDhJzuT6p4qd7DmHrE0S48v7:x/axEadkqbEzTxnp4qdfoE0a`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

Snaffler-ruylopez.exe "C:\Users\test22\AppData\Local\Temp\Snaffler-ruylopez.exe"
1700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001f20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002ef0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Oct. 27, 2024, 11:44 a.m.	process_identifier: 1700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00080c00', u'virtual_address': u'0x00024000', u'entropy': 7.965105880061292, u'name': u'.rdata', u'virtual_size': u'0x00080a80'}

entropy

7.96510588006

description

A section with a high entropy has been found

entropy

0.743145743146

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1700 resumed a thread in remote process 1608
NtResumeThread Oct. 27, 2024, 11:44 a.m.	thread_handle: 0x00000000000000a0 suspend_count: 1 process_identifier: 1608	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
Sangfor	Trojan.Win64.Agent.Vr45
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Trojan.GenericKD.74441578
K7GW	Trojan ( 005b58991 )
K7AntiVirus	Trojan ( 005b58991 )
Arcabit	Trojan.Generic.D46FE377
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win64/Agent.DUU
APEX	Malicious
Avast	Win64:MalwareX-gen [Trj]
MicroWorld-eScan	Trojan.GenericKD.74441578
Rising	Trojan.Kryptik!8.8 (TFE:5:hzKgty1bItV)
Emsisoft	Trojan.GenericKD.74441578 (B)
F-Secure	Heuristic.HEUR/AGEN.1329661
McAfeeD	ti!3621C6A555E7
CTX	exe.trojan.agen
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Trojan.GenericKD.74441578
Google	Detected
Avira	HEUR/AGEN.1329661
Antiy-AVL	Trojan/Win64.Kryptik
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	MSIL.Riskware.Hacktool.07U0AL
McAfee	Artemis!1AF918875C67
DeepInstinct	MALICIOUS
Malwarebytes	Crypt.Trojan.MSIL.DDS
Ikarus	Trojan.Win64.Crypt
Panda	Trj/Chgt.AD
Tencent	Win32.Trojan.Agen.Edhl
Fortinet	W64/Agent.DUU!tr
AVG	Win64:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Injector.DYD

Snaffler-ruylopez.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All