Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.10.23 09:53	Machine	s1_win7_x6401
Filename	zwoag.exe
Type	PE32+ executable (GUI) x86-64, for MS Windows
AI Score	6	Behavior Score	2.4
ZERO API	file : clean
VT API (file)	37 detected (Agentb, trtl, malicious, high confidence, Razy, GenericRI, S22849637, Artemis, Unsafe, Save, Eldorado, Themida, L suspicious, Scrop, DropperX, Generic ML PUA, Score, kcloud, Sabsik, ai score=86, ClipBanker, Static AI, Malicious PE, susgen)
md5	7e7e20bac722de83b363c29ee7e4efbd
sha256	8b3a26ce1e5307340caa595352252ece853b99ba8c8343b3c95685355e41b743
ssdeep	98304:axBI1GBZQQV/5V+rEKGfebNJGWDKpigYwhAhrF:qB4GB+u/H+rEKGfeGsKpv7
imphash	106f3d3e521ab0377bf478b03f3dd87b
impfuzzy	3:sUx2AEJt/M1KgK32bWmAgYbRA2yLMRMExAnmqMElB:nEJt/MN1bK19ycP3ED

Network IP location

Signature (5cnts)

Level	Description
danger	File has been identified by 37 AntiVirus engines on VirusTotal as malicious
watch	Tries to unhook Windows functions monitored by Cuckoo
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	One or more processes crashed
info	The executable contains unknown PE section names indicative of a packer (could be a false positive)

Rules (3cnts)

Level	Name	Description	Collection
warning	themida_packer	themida packer	binaries (upload)
info	IsPE64	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (0cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

kernel32.dll
0x14002f108 GetModuleHandleA
USER32.dll
0x14002f118 DefWindowProcW
SHELL32.dll
0x14002f128 SHGetSpecialFolderPathW
ole32.dll
0x14002f138 CoInitializeEx
OLEAUT32.dll
0x14002f148 VariantInit

EAT(Export Address Table) is none

Report - zwoag.exe

Signature (5cnts)

Rules (3cnts)

Network (0cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure