Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.17 10:04
RE_09JUKS74392048_pdf.wsf
04.17 10:04
system.exe
04.17 10:04
RE_09JUKS74392048_pdf.wsf
04.17 10:04
ken.wsh
04.17 10:04
kimsuky_xls.lnk
04.17 10:04
RE_007394029384393483....
04.17 12:04
getif-2.3.1.zip
04.17 12:04
_user1.cab
04.17 12:04
_sys1.cab
04.17 12:04
_ISDEL.EXE

Latest News
04.17 07:04
Chinese Hacker Group M...
04.17 07:04
Neuralink Rival Gets F...
04.17 07:04
Critical Erlang/OTP SS...
04.17 07:04
Node.js Malware Campai...
04.17 06:04
Netflix Defies Big Tec...
04.17 06:04
Why Comprehensive Cybe...
04.17 06:04
KQR, 코엑스 IFS 박람회서 ‘앱카드...
04.17 06:04
IT Sicherheitsnews tae...
04.17 06:04
Gezielte Angriffe auf ...
04.17 06:04
Nvidia CEO Visits Beij...

Summary | ZeroBOX

boost.exe

Generic Malware Malicious Library UPX PE64 PE File OS Processor Check

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 30, 2024, 1:54 p.m.	Dec. 30, 2024, 2:04 p.m.

Size	20.1MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`3afbec336ce14a69efb9524e4228fa0b`
SHA256	`25518b8a4c2c6e3bfe59848b7399a1d14a199046a92f8f46c32152e06210b34c`
CRC32	`1CBEAD0A`
ssdeep	`393216:yTZtsW33O3g6JZ0GhSnUwBqLi7PbY0opB5/YC1T20Zzr8EreYl94SJ4:yTZm6jARzwGeU0olQmTHwEreYY+4`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

boost.exe "C:\Users\test22\AppData\Local\Temp\boost.exe"
2640

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 30, 2024, 1:47 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.didat
section	_RDATA

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 30, 2024, 1:47 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1	0	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Cylance	Unsafe
APEX	Malicious
McAfeeD	ti!25518B8A4C2C
Microsoft	Trojan:Win32/Casdet!rfn

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 30, 2024, 1:47 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff90000 process_handle: 0xffffffffffffffff	1	0	0