Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 2, 2025, 10:02 a.m.	April 2, 2025, 10:04 a.m.

Size	826.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`57bcb61167abd03d9d98705ab39e79ab`
SHA256	`7c321f8a0d6c357d3406afb96408968d107c81f8282e2353ea4cebed67432f88`
CRC32	`40251632`
ssdeep	`24576:BAzEBC+2X2jofsfO1AVPul+3Dhs2ccmsh:BAz+J2mMfd1LDlRsh`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

invoice.exe "C:\Users\test22\AppData\Local\Temp\invoice.exe"
1648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
176.65.142.252	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2025, 10:02 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.Dota

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2025, 10:02 a.m.	process_identifier: 1648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 2, 2025, 10:02 a.m.	process_identifier: 1648 region_size: 409600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW April 2, 2025, 10:02 a.m.	snapshot_handle: 0x00000060 process_name: wsqmcons.exe process_identifier: 912	1	1
Process32NextW April 2, 2025, 10:02 a.m.	snapshot_handle: 0x00000060 process_name: sdclt.exe process_identifier: 508	1	1
Process32NextW April 2, 2025, 10:02 a.m.	snapshot_handle: 0x00000060 process_name: SearchProtocolHost.exe process_identifier: 1708	1	1
Process32NextW April 2, 2025, 10:02 a.m.	snapshot_handle: 0x00000060 process_name: invoice.exe process_identifier: 1648	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0005a600', u'virtual_address': u'0x0006a000', u'entropy': 7.999214056877974, u'name': u'.data', u'virtual_size': u'0x0005ae00'}

entropy

7.99921405688

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00008400', u'virtual_address': u'0x000ca000', u'entropy': 6.837145678856392, u'name': u'.reloc', u'virtual_size': u'0x0000831c'}

entropy

6.83714567886

description

A section with a high entropy has been found

entropy

0.478181818182

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

176.65.142.252

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
ALYac	Gen:Variant.Lazy.672490
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.672490
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Gen:Variant.Lazy.672490
Arcabit	Trojan.Lazy.DA42EA
VirIT	Trojan.Win32.GenHeur.C
Symantec	Scr.MalPbs!gen2
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/GenKryptik.HHUD
APEX	Malicious
MicroWorld-eScan	Gen:Variant.Lazy.672490
Rising	Trojan.Kryptik@AI.88 (RDML:i3iOxKzU69W1htAsnVUIVg)
Emsisoft	Gen:Variant.Lazy.672490 (B)
Trapmine	malicious.high.ml.score
CTX	exe.unknown.lazy
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.57bcb61167abd03d
GData	Gen:Variant.Lazy.672490
DeepInstinct	MALICIOUS
Tencent	Win32.Trojan.Genkryptik.Ztjl
huorong	HVM:VirTool/Obfuscator.gen!A

invoice.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All