Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:59 a.m.	Nov. 11, 2024, 10:02 a.m.

Size	112.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`48bc0b9203e4c5e02697426be45ae63a`
SHA256	`b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981`
CRC32	`37AA34B6`
ssdeep	`3072:y1+vLKqeAvUC1150iYraxmDtbP59P3KnzJ0qFp1x5q44YXv/wpiQso5/xxDk:y1DY/wpiQso5/xxA`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

sg.exe "C:\Users\test22\AppData\Local\Temp\sg.exe"
2580

Name	Response	Post-Analysis Lookup
safe.ywxww.net		60.191.236.246

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636260 registers.edi: 6315400 registers.eax: 1636260 registers.ebp: 1636340 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635972 registers.edi: 6315400 registers.eax: 1635972 registers.ebp: 1636052 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635988 registers.edi: 6315400 registers.eax: 1635988 registers.ebp: 1636068 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635988 registers.edi: 6315400 registers.eax: 1635988 registers.ebp: 1636068 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635988 registers.edi: 6315400 registers.eax: 1635988 registers.ebp: 1636068 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1
__exception__ Nov. 11, 2024, 9:59 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1635988 registers.edi: 6315400 registers.eax: 1635988 registers.ebp: 1636068 registers.edx: 0 registers.ebx: 6315400 registers.esi: 6315400 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f3c8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f3c8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f150

size

0x00000264

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2024, 9:59 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00320000 process_handle: 0xffffffff	1	0	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.Common.3B4BCA8C
Lionic	Trojan.Win32.Redcap.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Agent
Skyhigh	BehavesLike.Win32.Infected.cm
McAfee	Artemis!48BC0B9203E4
Cylance	Unsafe
VIPRE	Trojan.GenericKD.74630897
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.74630897
Arcabit	Trojan.Generic.D472C6F1
VirIT	Trojan.Win32.VBGenus.FZC
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Agent.xabcvr
Alibaba	TrojanDownloader:Win32/Redcap.7e31b189
NANO-Antivirus	Trojan.Win32.Dwn.fxfrnd
MicroWorld-eScan	Trojan.GenericKD.74630897
Rising	Downloader.Generic!8.141 (CLOUD)
Emsisoft	Trojan.GenericKD.74630897 (B)
F-Secure	Trojan.TR/Redcap.dqzcq
DrWeb	Trojan.DownLoader29.40575
Zillya	Downloader.Generic.Win32.8270
TrendMicro	TROJ_GEN.R06EC0RK324
McAfeeD	ti!B0CBF6B1C6E6
CTX	exe.trojan.redcap
Sophos	Mal/Generic-S
FireEye	Trojan.GenericKD.74630897
Jiangmin	TrojanDownloader.Generic.bdhh
Google	Detected
Avira	TR/Redcap.dqzcq
Antiy-AVL	Trojan/Win32.Fuerboos
Kingsoft	malware.kb.a.960
Microsoft	Trojan:Win32/Znyonm
ViRobot	Trojan.Win.Z.Bulz.114688.B
ZoneAlarm	Trojan.Win32.Agent.xabcvr
GData	Trojan.GenericKD.74630897
Varist	W32/ABApplication.UDPT-6682
AhnLab-V3	Trojan/Win32.Tiggre.C3452069
VBA32	Trojan.Agent
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/GdSda.A
TrendMicro-HouseCall	TROJ_GEN.R06EC0RK324
Tencent	Win32.Trojan.Agent.Yolw
huorong	HEUR:Trojan/VBCode.a
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/Dloader.X!tr
AVG	Win32:Malware-gen

sg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All