Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 13, 2025, 3:17 p.m.	April 13, 2025, 3:25 p.m.

Size	1.3MB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`b57543cb0009ec9e7b9ed36b317f4a68`
SHA256	`2873c654425d5c041b233ee04c2252589efb9ad7f5e5a2706d8487e7d8aadcee`
CRC32	`B8E47FE1`
ssdeep	`24576:LXfINFPFU9z/46aw5vHZnWHItRf4fYRE7BHlcADadfj/EIS6CwvhYt4zju+40jup:LXfINtFU9z/46aw5vHZnWHItRf4Qy7BR`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsPE64 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

crypted.exe "C:\Users\test22\AppData\Local\Temp\crypted.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
123.253.61.24	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	.B6
section	.gxfg
section	.retplne
section	_RDATA
section	.jss

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 13, 2025, 3:10 p.m.	stacktrace: crypted+0xd3fc3 @ 0x13f483fc3 crypted+0xb144 @ 0x13f3bb144 crypted+0x1050f6 @ 0x13f4b50f6 crypted+0x6b51d @ 0x13f41b51d crypted+0x6ab45 @ 0x13f41ab45 crypted+0x6a0c5 @ 0x13f41a0c5 crypted+0x71c18 @ 0x13f421c18 crypted+0x6fc5a @ 0x13f41fc5a crypted+0x10747d @ 0x13f4b747d crypted+0xbc6ca @ 0x13f46c6ca crypted+0xbb929 @ 0x13f46b929 crypted+0x71c18 @ 0x13f421c18 crypted+0xba01d @ 0x13f46a01d crypted+0xb4563 @ 0x13f464563 crypted+0xb3149 @ 0x13f463149 crypted+0xaedff @ 0x13f45edff crypted+0xa4ae0 @ 0x13f454ae0 crypted+0x92479 @ 0x13f442479 crypted+0xc4bb7 @ 0x13f474bb7 TpPostWork+0x154 AlpcMaxAllowedMessageLength-0xcc ntdll+0x12484 @ 0x76d42484 RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x76d50c26 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521 exception.instruction_r: 44 0f b7 01 44 2b c0 75 19 48 2b ca 66 85 c0 74 exception.symbol: crypted+0xd3fc3 exception.instruction: movzx r8d, word ptr [rcx] exception.module: crypted.exe exception.exception_code: 0xc0000005 exception.offset: 868291 exception.address: 0x13f483fc3 registers.r14: 0 registers.r15: 0 registers.rcx: 110 registers.rsi: 0 registers.r10: -72340172838076673 registers.rbx: 0 registers.rsp: 6487584 registers.r11: -9187201950435737472 registers.r8: 1 registers.r9: 3665725351 registers.rdx: 5356795416 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 75 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2025, 3:10 p.m.

stacktrace:

crypted+0xd3fc3 @ 0x13f483fc3
crypted+0xb144 @ 0x13f3bb144
crypted+0x1050f6 @ 0x13f4b50f6
crypted+0x6b51d @ 0x13f41b51d
crypted+0x6ab45 @ 0x13f41ab45
crypted+0x6a0c5 @ 0x13f41a0c5
crypted+0x71c18 @ 0x13f421c18
crypted+0x6fc5a @ 0x13f41fc5a
crypted+0x10747d @ 0x13f4b747d
crypted+0xbc6ca @ 0x13f46c6ca
crypted+0xbb929 @ 0x13f46b929
crypted+0x71c18 @ 0x13f421c18
crypted+0xba01d @ 0x13f46a01d
crypted+0xb4563 @ 0x13f464563
crypted+0xb3149 @ 0x13f463149
crypted+0xaedff @ 0x13f45edff
crypted+0xa4ae0 @ 0x13f454ae0
crypted+0x92479 @ 0x13f442479
crypted+0xc4bb7 @ 0x13f474bb7
TpPostWork+0x154 AlpcMaxAllowedMessageLength-0xcc ntdll+0x12484 @ 0x76d42484
RtlRealSuccessor+0x136 TpCallbackMayRunLong-0x65a ntdll+0x20c26 @ 0x76d50c26
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 44 0f b7 01 44 2b c0 75 19 48 2b ca 66 85 c0 74
exception.symbol: crypted+0xd3fc3
exception.instruction: movzx r8d, word ptr [rcx]
exception.module: crypted.exe
exception.exception_code: 0xc0000005
exception.offset: 868291
exception.address: 0x13f483fc3
registers.r14: 0
registers.r15: 0
registers.rcx: 110
registers.rsi: 0
registers.r10: -72340172838076673
registers.rbx: 0
registers.rsp: 6487584
registers.r11: -9187201950435737472
registers.r8: 1
registers.r9: 3665725351
registers.rdx: 5356795416
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 75
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x000e8c00', u'virtual_address': u'0x00001000', u'entropy': 7.0471453183715465, u'name': u'.text', u'virtual_size': u'0x000e8b3e'}

entropy

7.04714531837

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002600', u'virtual_address': u'0x00105000', u'entropy': 6.9604320580166394, u'name': u'.B6', u'virtual_size': u'0x0000253a'}

entropy

6.96043205802

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00022600', u'virtual_address': u'0x0010e000', u'entropy': 7.998739718848758, u'name': u'.jss', u'virtual_size': u'0x00022600'}

entropy

7.99873971885

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00022600', u'virtual_address': u'0x00131000', u'entropy': 7.998739718848758, u'name': u'.jss', u'virtual_size': u'0x00022600'}

entropy

7.99873971885

description

A section with a high entropy has been found

entropy

0.920833333333

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

123.253.61.24

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Bkav	W64.AIDetectMalware
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win64/GenKryptik.HIBD
APEX	Malicious
Avast	MalwareX-gen [Cryp]
Kaspersky	UDS:Trojan-PSW.Win32.Vidar
Rising	Trojan.ShellCodeLoader!1.12B08 (CLASSIC)
McAfeeD	ti!2873C654425D
Sophos	Troj/Krypt-AQA
Google	Detected
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	malware.kb.a.933
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	Troj/Krypt-AQA
DeepInstinct	MALICIOUS
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
AVG	MalwareX-gen [Cryp]

crypted.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All