Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 18, 2022, 9:41 a.m.	Jan. 18, 2022, 9:52 a.m.

Size	584.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`bdf3b101d4c3bb29b543b42d854f1e9c`
SHA256	`09269b6f64fcb4394dbfba6c10b0f504c2e2d5c57aa04c42cd2c0c05aee2f9b8`
CRC32	`190BC7A4`
ssdeep	`12288:val9UuO+evrLLVTKVQhZkx1ziktcWElcsWiKf+Ht:y3EHv3L5KmA7ik6WEN+f+`
PDB Path	C:\refuh-memazihupona\vidob\bonivuhijali.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library Win32_Trojan_Dridex_Gene_Zero - Win32 Trojan Dridex Gene UPX_Zero - UPX packed file

4503_1642437829_3235.exe "C:\Users\test22\AppData\Local\Temp\4503_1642437829_3235.exe"
2772

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
52.246.251.51	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\refuh-memazihupona\vidob\bonivuhijali.pdb

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.teje

The file contains an unknown PE resource name possibly indicative of a packer (5 events)

resource name	AFX_DIALOG_LAYOUT
resource name	VESURAGOSAG
resource name	VIDIWAYAPENIGU
resource name	YONAMIKORUFENI
resource name	None

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 18, 2022, 9:41 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 327680 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072e000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Jan. 18, 2022, 9:41 a.m.	process_identifier: 2772 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (16 events)

name

VESURAGOSAG

language

LANG_CHINESE

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002115b8

size

0x000006f0

name

VIDIWAYAPENIGU

language

LANG_CHINESE

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x00212b90

size

0x000002fa

name

YONAMIKORUFENI

language

LANG_CHINESE

filetype

ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x00211ca8

size

0x00000ee8

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x002110f0

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x00211558

size

0x0000005a

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_HONGKONG

offset

0x00211558

size

0x0000005a

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00050c00', u'virtual_address': u'0x00034000', u'entropy': 7.9845832803626555, u'name': u'.data', u'virtual_size': u'0x001d5da8'}

entropy

7.98458328036

description

A section with a high entropy has been found

entropy

0.554030874786

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

52.246.251.51

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Bkav	W32.AIDetect.malware1
Lionic	Trojan.Win32.Zenpak.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.bdf3b101d4c3bb29
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.211c29
Cyren	W32/Kryptik.GAL.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ClamAV	Win.Dropper.Mikey-9917324-0
Kaspersky	UDS:Trojan.Win32.Zenpak.gen
Avast	FileRepMalware
Baidu	Win32.Trojan.Kryptik.jm
McAfee-GW-Edition	BehavesLike.Win32.Generic.hc
Sophos	ML/PE-A
Microsoft	Trojan:Win32/CryptInject.FB!MTB
Cynet	Malicious (score: 100)
Malwarebytes	Trojan.MalPack.GS
APEX	Malicious
Rising	Trojan.Generic@AI.80 (RDML:IFPmutvwuzRerAlHN5I7Ug)
SentinelOne	Static AI - Malicious PE
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_100% (W)

4503_1642437829_3235.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All