MR04.exe

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.xuh
section	.bate

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	VOWAGOTAX
resource name	WOVISEMUVIJI
resource name	YOSIBALIBINIBUREWEHO

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 11, 2021, 3:23 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d1b000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 11, 2021, 3:23 p.m.	process_identifier: 2548 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x0001c600', u'virtual_address': u'0x00001000', u'entropy': 7.150300307695501, u'name': u'.text', u'virtual_size': u'0x0001c564'}				entropy	7.1503003077				description	A section with a high entropy has been found
entropy	0.585051546392				description	Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (3 events)

url	https://ip4.seeip.org/
url	https://q9i
url	https://api.ipify.org/

Yara rule detected in process memory (41 events)

description	Code injection with CreateRemoteThread in a remote process				rule	inject_thread
description	Create a windows service				rule	create_service
description	Communications over UDP network				rule	network_udp_sock
description	Listen for incoming communication				rule	network_tcp_listen
description	Communications over P2P network				rule	network_p2p_win
description	Communications over HTTP				rule	network_http
description	File downloader/dropper				rule	network_dropper
description	Communications over FTP				rule	network_ftp
description	Communications over RAW socket				rule	network_tcp_socket
description	Communications use DNS				rule	network_dns
description	Communication using dga				rule	network_dga
description	Escalade priviledges				rule	escalate_priv
description	Take screenshot				rule	screenshot
description	Run a keylogger				rule	keylogger
description	Steal credential				rule	cred_local
description	Record Audio				rule	sniff_audio
description	APC queue tasks migration				rule	migrate_apc
description	Malware can spread east-west using share drive				rule	spreading_share
description	Create or check mutex				rule	win_mutex
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_private_profile
description	Affect private profile				rule	win_files_operation
description	Match Winsock 2 API library declaration				rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration				rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call				rule	Str_Win32_Internet_API
description	Match Windows Http API call				rule	Str_Win32_Http_API
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerCheck__RemoteAPI
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	DebuggerException__ConsoleCtrl
description	(no description)				rule	DebuggerException__SetConsoleCtrl
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	(no description)				rule	Check_Dlls
description	Checks if being debugged				rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert				rule	antisb_threatExpert
description	Bypass DEP				rule	disable_dep
description	Affect hook table				rule	win_hook

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.MulDrop16.14123
MicroWorld-eScan	Trojan.GenericKD.36452473
FireEye	Generic.mg.edf555fc092865d0
CAT-QuickHeal	Trojan.Glupteba
ALYac	Trojan.GenericKD.36452473
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00578b921 )
Alibaba	Trojan:Win32/Glupteba.4c845d16
K7GW	Trojan ( 00578b921 )
Cybereason	malicious.c09286
Arcabit	Trojan.Generic.D22C3879
BitDefenderTheta	Gen:NN.ZexaF.34608.myW@aKJJdDdG
Cyren	W32/Zenpak.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:DropperX-gen [Drp]
Kaspersky	HEUR:Trojan.Win32.Zenpak.gen
BitDefender	Trojan.GenericKD.36452473
NANO-Antivirus	Trojan.Win32.Zenpak.iodtbx
Paloalto	generic.ml
Tencent	Win32.Trojan.Zenpak.Apwn
Ad-Aware	Trojan.GenericKD.36452473
Emsisoft	Trojan.Crypt (A)
F-Secure	Trojan.TR/Kryptik.aitbm
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TrojanSpy.Win32.GLUPTEBA.USMANC521
McAfee-GW-Edition	BehavesLike.Win32.Trojan.ch
Sophos	Mal/Generic-R + Troj/Kryptik-TP
SentinelOne	Static AI - Malicious PE
ESET-NOD32	a variant of Win32/Kryptik.HJUE
Avira	TR/Kryptik.aitbm
MAX	malware (ai score=88)
Antiy-AVL	Trojan/Win32.Zenpak
Gridinsoft	Trojan.Win32.Kryptik.vb
Microsoft	Trojan:Win32/Glupteba.OX!MTB
AegisLab	Trojan.Win32.Zenpak.4!c
ZoneAlarm	HEUR:Trojan.Win32.Zenpak.gen
GData	Trojan.GenericKD.36452473
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.RL_Generic.R370424
McAfee	RDN/Generic.grp
VBA32	BScope.Trojan.Glupteba
Malwarebytes	Trojan.MalPack.GS
TrendMicro-HouseCall	TrojanSpy.Win32.GLUPTEBA.USMANC521
Rising	Trojan.Kryptik!1.D250 (CLOUD)
Ikarus	Trojan-Banker.UrSnif
MaxSecure	Trojan.Malware.300983.susgen