Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 22, 2021, 10:18 a.m.	March 22, 2021, 10:26 a.m.

Size	513.5KB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`4437932f91042579798df965170c55a8`
SHA256	`0ed3ce0f13bd721bc78bd411e74aeb3e772588d2bb1b3f2d2be4e390164646ec`
CRC32	`F475F35A`
ssdeep	`12288:e7iLxBGNINxDRhDqaRQTBRwrl1MWsXI9a+2cO:e7iNBEmxfqzNdTXI0+2cO`
Yara	PE_Header_Zero - PE File Signature Zero screenshot - Take screenshot win_registry - Affect system registries Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration IsPE64 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasModified_DOS_Message - DOS Message Check

REW.exe "C:\Users\test22\AppData\Local\Temp\REW.exe"
8768

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2021, 10:18 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895 stacktrace+0x84 memdup-0x1af @ 0x72e10470 hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb rew+0xc1ab7 @ 0x1400c1ab7 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff 0x128fff exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x77210895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 4388408 registers.rsi: 5369929728 registers.r10: 0 registers.rbx: 1994665712 registers.rsp: 4390664 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 4389752 registers.r12: 0 registers.rbp: 0 registers.rdi: 5368709487 registers.rax: 4388088 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 22, 2021, 10:18 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77210895
stacktrace+0x84 memdup-0x1af @ 0x72e10470
hook_in_monitor+0x45 lde-0x133 @ 0x72e042ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x72e23603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd6e3243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd6e31fb
rew+0xc1ab7 @ 0x1400c1ab7
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76e42ef0
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff
0x128fff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77210895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 4388408
registers.rsi: 5369929728
registers.r10: 0
registers.rbx: 1994665712
registers.rsp: 4390664
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 4389752
registers.r12: 0
registers.rbp: 0
registers.rdi: 5368709487
registers.rax: 4388088
registers.r13: 0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00063400', u'virtual_address': u'0x00001000', u'entropy': 7.999501639266821, u'name': u'.MPRESS1', u'virtual_size': u'0x0012a000'}

entropy

7.99950163927

description

A section with a high entropy has been found

entropy

0.784584980237

description

Overall entropy of this PE file is high

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Cynet	Malicious (score: 85)
ALYac	Trojan.GenericKD.36542171
CrowdStrike	win/malicious_confidence_80% (W)
Arcabit	Trojan.Generic.D22D96DB
APEX	Malicious
ClamAV	Win.Malware.Agen-9845800-0
BitDefender	Trojan.GenericKD.36542171
MicroWorld-eScan	Trojan.GenericKD.36542171
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.36542171
Emsisoft	Trojan.GenericKD.36542171 (B)
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.36542171
Webroot	W32.Malware.Gen
Avira	TR/AD.SmallAHKDownloader.oftsb
MAX	malware (ai score=82)
Microsoft	Trojan:Win32/Ymacco.AA0E
GData	Trojan.GenericKD.36542171
McAfee	Artemis!4437932F9104
Yandex	Trojan.Agent!vG2VySOCZ6E
eGambit	PE.Heur.InvalidSig
Fortinet	W32/PossibleThreat
AVG	FileRepMalware
Cybereason	malicious.ceb4fc
Qihoo-360	Win64/TrojanDownloader.Generic.HgEASRIA

REW.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All