Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, 12:08 p.m.	March 8, 2025, 12:46 p.m.

Size	879.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`903eb4bcb7f7479a651a0813e69ffad9`
SHA256	`ca418ccff111b4ce22e4d4c67669ecb8fa3e03d6113d6ff21f3e580bbc994c0d`
CRC32	`047290BB`
ssdeep	`12288:Gg4sLVk2xowPof5wfQyMRgiKXiMLX2jU3ced0RfZUZhSocM6R4C+eN1v4lGb:k6xow4NyMR3ALX2jrfZ1o23+S`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE64 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

2qv26zF.exe "C:\Users\test22\AppData\Local\Temp\2qv26zF.exe"
1508

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

SEVEN7777

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: OpenPrinterW+0x530 OpenPrinter2W-0x118 winspool+0x2f524 @ 0x7fefb96f524 GetPrinterDataW+0xa7 GetPrinterDataExW-0x129 winspool+0x1dc43 @ 0x7fefb95dc43 GetPrinterDataA+0x212 GetPrinterDataExA-0x1ae winspool+0x19972 @ 0x7fefb959972 2qv26zf+0x5bcf @ 0x13fca5bcf 2qv26zf+0x5a67 @ 0x13fca5a67 2qv26zf+0x55f0 @ 0x13fca55f0 2qv26zf+0x551f @ 0x13fca551f 2qv26zf+0x525d @ 0x13fca525d 2qv26zf+0x3828 @ 0x13fca3828 2qv26zf+0x359b @ 0x13fca359b 2qv26zf+0x31c5 @ 0x13fca31c5 2qv26zf+0x2f1b @ 0x13fca2f1b 2qv26zf+0x2dc6 @ 0x13fca2dc6 2qv26zf+0x29ed @ 0x13fca29ed 2qv26zf+0x28bf @ 0x13fca28bf 2qv26zf+0x25da @ 0x13fca25da 2qv26zf+0x22a6 @ 0x13fca22a6 2qv26zf+0x1ea0 @ 0x13fca1ea0 2qv26zf+0x1d53 @ 0x13fca1d53 2qv26zf+0x1b02 @ 0x13fca1b02 2qv26zf+0x5024 @ 0x13fca5024 2qv26zf+0x5ea3 @ 0x13fca5ea3 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521 exception.instruction_r: 81 3b 67 67 00 00 75 0e f6 43 2c c0 75 08 33 ff exception.symbol: OpenPrinterW+0x530 OpenPrinter2W-0x118 winspool+0x2f524 exception.instruction: cmp dword ptr [rbx], 0x6767 exception.module: WINSPOOL.DRV exception.exception_code: 0xc0000005 exception.offset: 193828 exception.address: 0x7fefb96f524 registers.r14: 0 registers.r15: 0 registers.rcx: 48 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1440576 registers.r11: 514 registers.r8: 1436952 registers.r9: 1437008 registers.rdx: 8796092879440 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 8, 2025, 12:08 p.m.

stacktrace:

OpenPrinterW+0x530 OpenPrinter2W-0x118 winspool+0x2f524 @ 0x7fefb96f524
GetPrinterDataW+0xa7 GetPrinterDataExW-0x129 winspool+0x1dc43 @ 0x7fefb95dc43
GetPrinterDataA+0x212 GetPrinterDataExA-0x1ae winspool+0x19972 @ 0x7fefb959972
2qv26zf+0x5bcf @ 0x13fca5bcf
2qv26zf+0x5a67 @ 0x13fca5a67
2qv26zf+0x55f0 @ 0x13fca55f0
2qv26zf+0x551f @ 0x13fca551f
2qv26zf+0x525d @ 0x13fca525d
2qv26zf+0x3828 @ 0x13fca3828
2qv26zf+0x359b @ 0x13fca359b
2qv26zf+0x31c5 @ 0x13fca31c5
2qv26zf+0x2f1b @ 0x13fca2f1b
2qv26zf+0x2dc6 @ 0x13fca2dc6
2qv26zf+0x29ed @ 0x13fca29ed
2qv26zf+0x28bf @ 0x13fca28bf
2qv26zf+0x25da @ 0x13fca25da
2qv26zf+0x22a6 @ 0x13fca22a6
2qv26zf+0x1ea0 @ 0x13fca1ea0
2qv26zf+0x1d53 @ 0x13fca1d53
2qv26zf+0x1b02 @ 0x13fca1b02
2qv26zf+0x5024 @ 0x13fca5024
2qv26zf+0x5ea3 @ 0x13fca5ea3
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 81 3b 67 67 00 00 75 0e f6 43 2c c0 75 08 33 ff
exception.symbol: OpenPrinterW+0x530 OpenPrinter2W-0x118 winspool+0x2f524
exception.instruction: cmp dword ptr [rbx], 0x6767
exception.module: WINSPOOL.DRV
exception.exception_code: 0xc0000005
exception.offset: 193828
exception.address: 0x7fefb96f524
registers.r14: 0
registers.r15: 0
registers.rcx: 48
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1440576
registers.r11: 514
registers.r8: 1436952
registers.r9: 1437008
registers.rdx: 8796092879440
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000c0a00', u'virtual_address': u'0x0001e000', u'entropy': 7.713300125697534, u'name': u'.rsrc', u'virtual_size': u'0x000c0890'}

entropy

7.7133001257

description

A section with a high entropy has been found

entropy

0.877562642369

description

Overall entropy of this PE file is high

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Bkav	W64.AIDetectMalware
Skyhigh	Artemis!Trojan
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	FileRepMalware [Misc]
Kaspersky	UDS:DangerousObject.Multi.Generic
TrendMicro	Trojan.Win64.AMADEY.YXFCHZ
McAfeeD	ti!CA418CCFF111
Sophos	ML/PE-A
FireEye	Generic.mg.903eb4bcb7f7479a
Microsoft	Trojan:Win32/Sonbokli.A!cl
McAfee	Artemis!903EB4BCB7F7
DeepInstinct	MALICIOUS
AVG	FileRepMalware [Misc]

2qv26zF.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All