Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 17, 2021, 11 p.m.	March 17, 2021, 11:02 p.m.

Size	509.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`d4827f2bb4c0446d1bba5df00c2436b8`
SHA256	`235e42b187151383ebb91cb85af8500f19e18906bf57917fcf9e0da7004c86ff`
CRC32	`6F0E718E`
ssdeep	`12288:abmDTkUymtqTNbr2piRpjhV5gJtO+PbBJgSIg:aaDTMmtg1rBQ4+PcSV`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasRichSignature - Rich Signature Check UPX_Zero - UPX packed file

6e7_2021-01-19_18-04.txt "C:\Users\test22\AppData\Local\Temp\6e7_2021-01-19_18-04.txt"
996

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
81.177.139.41	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (3 events)

resource name	HIXACOBAHIZEFINEMATITOXUZIFAJO
resource name	YOYUZIFUZICAXAYOGADAR
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0470a000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory March 17, 2021, 10:57 p.m.	process_identifier: 996 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (29 events)

name

HIXACOBAHIZEFINEMATITOXUZIFAJO

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04221c90

size

0x00000dbd

name

YOYUZIFUZICAXAYOGADAR

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04221810

size

0x0000047d

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04220750

size

0x000010a8

name

RT_DIALOG

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222cc8

size

0x000000cc

name

RT_STRING

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222d98

size

0x000002b0

name

RT_ACCELERATOR

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222a50

size

0x000000b0

name

RT_GROUP_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x042217f8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x042217f8

size

0x00000014

name

RT_GROUP_ICON

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x042217f8

size

0x00000014

name

RT_VERSION

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04232f3c

size

0x00000198

name

None

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222b20

size

0x0000000a

name

None

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222b20

size

0x0000000a

name

None

language

LANG_UKRAINIAN

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x04222b20

size

0x0000000a

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00077e00', u'virtual_address': u'0x041b4000', u'entropy': 7.626776410347851, u'name': u'UPX1', u'virtual_size': u'0x00078000'}

entropy

7.62677641035

description

A section with a high entropy has been found

entropy

0.943897637795

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Communicates with host for which no DNS query was performed (1 event)

host

81.177.139.41

Generates some ICMP traffic

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.PWS.RedLineNET.4
MicroWorld-eScan	Trojan.GenericKD.36187745
FireEye	Generic.mg.d4827f2bb4c0446d
ALYac	Trojan.GenericKD.36187745
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Chapak.e8fafa3f
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.bb4c04
BitDefenderTheta	Gen:NN.ZexaF.34628.FmGfaSSxK4kc
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Chapak.pef
BitDefender	Trojan.GenericKD.36187745
NANO-Antivirus	Trojan.Win32.Chapak.ijpunl
Avast	Win32:DropperX-gen [Drp]
Tencent	Win32.Trojan.Chapak.Wqwg
Ad-Aware	Trojan.GenericKD.36187745
Emsisoft	Trojan.GenericKD.36187745 (B)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0DAM21
McAfee-GW-Edition	BehavesLike.Win32.Trojan.hc
Sophos	Mal/Generic-S
Ikarus	Trojan.MalPack
Avira	TR/AD.StellarStealer.grbmy
MAX	malware (ai score=100)
Microsoft	Trojan:Win32/Ranumbot.RD!MTB
Arcabit	Trojan.Generic.D2282E61
GData	Trojan.GenericKD.36187745
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Gen.Reputation.C4304597
Acronis	suspicious
McAfee	GenericRXAA-AA!D4827F2BB4C0
VBA32	TrojanSpy.Stealer
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/Kryptik.HIXP
TrendMicro-HouseCall	TROJ_GEN.R002C0DAM21
Rising	Trojan.Kryptik!8.8 (CLOUD)
Yandex	Trojan.Chapak!U/JAJ62KN6c
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Kryptik.HIZL!tr
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)
Qihoo-360	Win32/Trojan.Chapak.HwsBSAIB

6e7_2021-01-19_18-04.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All