Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2025, 10:03 a.m.	April 3, 2025, 10:05 a.m.

Size	14.0MB
Type	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5	`7b5f98de297dfb4e0430e04d806f641b`
SHA256	`a85112eb95fdabb423f95ec3d4dbdeee8c5b262d3ac1d6013ff1e6fc03b9f9ba`
CRC32	`7460A7CC`
ssdeep	`393216:N9zZmHIWR5xhwNNiSaJ/PGlux5Pre2LNINriLgC:NE6NN6J3GI5P5KrY`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) UPX_Zero - UPX packed file

2paodhpl52.exe "C:\Users\test22\AppData\Local\Temp\2paodhpl52.exe"
2552
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2025, 10:03 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 3, 2025, 10:04 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (14 events)

file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\tk86t.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\python3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\pythoncom312.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\tcl86t.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\pywintypes312.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\zlib1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\vcruntime140_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\2paodhpl52.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\libffi-8.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\python312.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00dd5600', u'virtual_address': u'0x0004d000', u'entropy': 7.9990959704388365, u'name': u'.rsrc', u'virtual_size': u'0x00dd554c'}

entropy

7.99909597044

description

A section with a high entropy has been found

entropy

0.990698324999

description

Overall entropy of this PE file is high

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\onefile_2552_133881350008437500\2paodhpl52.exe

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W64.AIDetectMalware
Lionic	Trojan.Win32.Nuitka.i!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.17436211636f641b
Skyhigh	BehavesLike.Win64.Dropper.tc
ALYac	Application.Generic.3956140
Cylance	Unsafe
VIPRE	Application.Generic.3956140
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Application.Generic.3956140
K7GW	Trojan ( 005bddf51 )
K7AntiVirus	Trojan ( 005bddf51 )
Arcabit	Application.Generic.D3C5DAC
Symantec	Trojan Horse
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Python/Packed.Nuitka.Y suspicious
Avast	Win64:Malware-gen
Kaspersky	Trojan-PSW.Win64.Disco.kgo
Alibaba	Packed:Application/Nuitka.1d3d6582
MicroWorld-eScan	Application.Generic.3956140
Emsisoft	Application.Generic.3956140 (B)
Zillya	Trojan.Stealer.Win32.194434
CTX	exe.trojan.nuitka
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Suspicious PE
FireEye	Application.Generic.3956140
Google	Detected
Microsoft	Trojan:Win32/Sabsik.EN.A!ml
GData	Application.Generic.3956140
Varist	W64/ABApplication.BTNA-7751
McAfee	Artemis!7B5F98DE297D
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.1792549723
Ikarus	PUA.Python.Nuitka
Tencent	Win64.Trojan-QQPass.QQRob.Kflw
MaxSecure	Trojan.Malware.338148470.susgen
Fortinet	W64/Agent_AGen.D!tr
AVG	Win64:Malware-gen
Paloalto	generic.ml
alibabacloud	VirTool:Python/Packed.Nuitka.Y

2paodhpl52.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All