Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x3201	March 29, 2021, 2:02 p.m.	March 29, 2021, 2:05 p.m.

Size	20.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c64253856d7af67fb3a75fe2cfcffd09`
SHA256	`246fd88c63c5e215204c074607ad0f6108bbc213bf39d7398db892c6149fe986`
CRC32	`61317D51`
ssdeep	`393216:3jn+LvhwQv1G05yIsrhYq6pWt8sF7FGwGoQ4Kbqr3GB6kuLI8RrwtaWy2tgO3ktb:zYhwK2YrpCOohKWL+gRs9y2tr4cO`
PDB Path	d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb
Yara	PE_Header_Zero - PE File Signature Zero screenshot - Take screenshot win_registry - Affect system registries win_files_operation - Affect private profile IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

musteri.exe "C:\Users\Administrator\AppData\Local\Temp\musteri.exe"
6272

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6daf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x721a4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72322000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74551000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77791000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75c61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 29, 2021, 2:02 p.m.	process_identifier: 6272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77bd1000 process_handle: 0xffffffff	1

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Alibaba	Trojan:Win32/Generic.df04eb5b
Symantec	Trojan.Gen
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Generic
Rising	Trojan.Generic!8.C3 (CLOUD)
Comodo	TrojWare.Win32.Trojan.Banker.~d08@1okg8n
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Artemis
Jiangmin	Trojan/Generic.bbjxs
Antiy-AVL	Trojan/Win32.Unknown
AegisLab	Trojan.Win32.Generic.4!c
ZoneAlarm	HEUR:Trojan.Win32.Generic
McAfee	Artemis!C64253856D7A
MAX	malware (ai score=96)
Cylance	Unsafe
Yandex	Trojan.Rogue!zFOcTwFV3RI
eGambit	Generic.Malware
AVG	Win32:Malware-gen
Avast	Win32:Malware-gen
Qihoo-360	Win32/Trojan.e6d

musteri.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All