Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 9, 2021, 10:56 a.m.	March 9, 2021, 10:56 a.m.

Size	402.8KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`315138347a5c976c27a0231460126963`
SHA256	`2c7dd7200563c99dd49f9a862bf9515e38dde993a4a5dbba7408914aa03ebc73`
CRC32	`73F2BE55`
ssdeep	`12288:ldqNLhOsl/SbysAp2A6i37cu9p9FYYwn3Hhl8Ar:AhBSbyPp2Apwu9pvpwn3HAAr`
Yara	IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDigitalSignature - DigitalSignature Check HasRichSignature - Rich Signature Check win_files_operation - Affect private profile PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero

b.exe "C:\Users\test22\AppData\Local\Temp\b.exe"
6240

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 9, 2021, 10:56 a.m.	process_identifier: 6240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 331776 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030a000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 9, 2021, 10:56 a.m.	process_identifier: 6240 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x030d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005ba00', u'virtual_address': u'0x00001000', u'entropy': 7.959844998031165, u'name': u'.text', u'virtual_size': u'0x0005b9b2'}

entropy

7.95984499803

description

A section with a high entropy has been found

entropy

0.931385006353

description

Overall entropy of this PE file is high

Yara rule detected in process memory (41 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.72859
McAfee	Packed-GDK!315138347A5C
Malwarebytes	Trojan.MalPack.GS
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Poshefus.aa390356
Cybereason	malicious.47a5c9
Cyren	W32/Kryptik.DEX.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Packed.Tofsee-9830352-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKDZ.72859
Avast	Win32:BotX-gen [Trj]
Ad-Aware	Trojan.GenericKDZ.72859
Emsisoft	MalCert.A (A)
DrWeb	Trojan.Siggen11.63001
McAfee-GW-Edition	Packed-GDK!315138347A5C
FireEye	Generic.mg.315138347a5c976c
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Trojan.GenericKDZ.72859
Arcabit	Trojan.Generic.D11C9B
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Poshefus.STA
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Kryptik.R365434
ALYac	Trojan.GenericKDZ.72859
MAX	malware (ai score=81)
Cylance	Unsafe
ESET-NOD32	a variant of Win32/Kryptik.HJGZ
Rising	Trojan.Kryptik!1.D250 (CLOUD)
Ikarus	Win32.Outbreak
Fortinet	W32/Kryptik.HJDH!tr
AVG	Win32:BotX-gen [Trj]
CrowdStrike	win/malicious_confidence_80% (W)
Qihoo-360	Win32/Trojan.Generic.HgIASQYA

b.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All