Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 4, 2025, 9:51 a.m.	April 4, 2025, 9:57 a.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5b61fae91f37fdfd32ff77482ae052de`
SHA256	`08bd79b8333434a9f742c9e686f1586712bc5c16b306b029b1bb35d6ac06a41e`
CRC32	`6D7727B3`
ssdeep	`49152:8BtYGfDXn9BbTm1Sgc33QkkUWr4ysJtWFcMESQw1jetufbP49GDt7AXQ2sFC5fmn:KYYVJQklcRMKje+A9Yt8A2sSm82`
PDB Path	C:\Users\ilyaz\Desktop\Ð¢ÐÐÐ Ð¡Ð¢ÐÐ ÐÐ ÐÐÐÐÐÐÐ Ð£Ð ÐÐ\main\Release\main.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

v1.exe "C:\Users\test22\AppData\Local\Temp\v1.exe"
1932
- exeD4DF.tmp "C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp"
  2144
- exeD4DF.tmp "C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp"
  2232
- exeD4DF.tmp "C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp"
  2528
- exeD4DF.tmp "C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp"
  2576
- exeD4DF.tmp "C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp"
  2628

Name	Response	Post-Analysis Lookup
xabanak.ru	A 185.100.157.137	185.100.157.137

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.100.157.137	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 4, 2025, 9:51 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\Users\ilyaz\Desktop\Ð¢ÐÐÐ Ð¡Ð¢ÐÐ ÐÐ ÐÐÐÐÐÐÐ Ð£Ð ÐÐ\main\Release\main.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.fptable

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 4, 2025, 9:51 a.m.	stacktrace: v1+0x2905 @ 0x2d2905 v1+0x6d68 @ 0x2d6d68 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ed 81 f9 68 58 4d 56 0f 94 45 e7 eb 0d b8 01 00 exception.symbol: v1+0x20ec exception.instruction: in eax, dx exception.module: v1.exe exception.exception_code: 0xc0000096 exception.offset: 8428 exception.address: 0x2d20ec registers.esp: 8186396 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 8186440 registers.edx: 22104 registers.ebx: 2130567168 registers.esi: 1 registers.ecx: 10	1	0	0

Performs some HTTP requests (1 event)

request

GET http://xabanak.ru/cl1/hick.txt

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

xabanak.ru

description

Russian Federation domain TLD

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 4, 2025, 9:51 a.m.	thread_identifier: 2148 thread_handle: 0x000002e0 process_identifier: 2144 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000002e4	1	1
CreateProcessInternalW April 4, 2025, 9:51 a.m.	thread_identifier: 2236 thread_handle: 0x000002e0 process_identifier: 2232 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000002e4	1	1
CreateProcessInternalW April 4, 2025, 9:51 a.m.	thread_identifier: 2532 thread_handle: 0x000002e0 process_identifier: 2528 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000002e4	1	1
CreateProcessInternalW April 4, 2025, 9:51 a.m.	thread_identifier: 2580 thread_handle: 0x000002e0 process_identifier: 2576 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000002e4	1	1
CreateProcessInternalW April 4, 2025, 9:51 a.m.	thread_identifier: 2632 thread_handle: 0x000002e0 process_identifier: 2628 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\exeD4DF.tmp stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000002e4	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00320a00', u'virtual_address': u'0x00032000', u'entropy': 7.999833408726343, u'name': u'.data', u'virtual_size': u'0x00321794'}

entropy

7.99983340873

description

A section with a high entropy has been found

entropy

0.940943146761

description

Overall entropy of this PE file is high

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 4, 2025, 9:51 a.m.	stacktrace: v1+0x2905 @ 0x2d2905 v1+0x6d68 @ 0x2d6d68 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ed 81 f9 68 58 4d 56 0f 94 45 e7 eb 0d b8 01 00 exception.symbol: v1+0x20ec exception.instruction: in eax, dx exception.module: v1.exe exception.exception_code: 0xc0000096 exception.offset: 8428 exception.address: 0x2d20ec registers.esp: 8186396 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 8186440 registers.edx: 22104 registers.ebx: 2130567168 registers.esi: 1 registers.ecx: 10	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Fsysna.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Fsysna
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Lazy.672302
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.672302
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Lazy.672302
K7GW	Trojan ( 005c46881 )
K7AntiVirus	Trojan ( 005c46881 )
Arcabit	Trojan.Lazy.DA422E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Agent.AHGU
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Fsysna.gen
MicroWorld-eScan	Gen:Variant.Lazy.672302
Rising	Trojan.Fsysna!8.5F2 (CLOUD)
Emsisoft	Gen:Variant.Lazy.672302 (B)
F-Secure	Trojan.TR/AVI.Agent.zcthx
DrWeb	BackDoor.DarkCrystal.390
Trapmine	malicious.high.ml.score
CTX	exe.trojan.fsysna
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.5b61fae91f37fdfd
Google	Detected
Avira	TR/AVI.Agent.zcthx
Antiy-AVL	GrayWare/Win32.Wacapew
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Lazy.672302
Varist	W32/ABApplication.GSJC-1689
AhnLab-V3	Trojan/Win.Wacapew.C5747119
McAfee	Artemis!5B61FAE91F37
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Fsysna
Ikarus	Trojan.Win32.Agent
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Malware.Win32.Gencirc.145fa334
MaxSecure	Trojan.Malware.7164915.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:Win/Wacapew.C9nj

v1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All