Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2025, 8:57 a.m.	April 28, 2025, 9:01 a.m.

Size	259.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3d31bf5db5ed5c115d0a6c5cfd2351df`
SHA256	`ff264986ba290e3be3eb8364b1852abee72ebab674e5cbdab82429e089bf21c6`
CRC32	`C8926E1D`
ssdeep	`6144:4qGdXu6wf0Nc8QsG9k+8la9VRnSajZJj:Ilu6MhSRmVRnSajZJj`
Yara	PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file

svchost.exe "C:\Users\test22\AppData\Local\Temp\svchost.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
182.92.113.13	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2025, 8:57 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.tzzf

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 28, 2025, 8:57 a.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

182.92.113.13

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Mauvaise.S1559271
Skyhigh	BehavesLike.Win32.Generic.dh
ALYac	Gen:Variant.Ransom.Loki.14169
Cylance	Unsafe
VIPRE	Gen:Variant.Ransom.Loki.14169
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Ransom.Loki.14169
K7GW	Trojan ( 0012c6871 )
K7AntiVirus	Trojan ( 0012c6871 )
Arcabit	Trojan.Ransom.Loki.D3759
VirIT	Trojan.Win32.Swrort.K
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Trojan.Metasploit
ESET-NOD32	a variant of Win32/Rozena.ANO
APEX	Malicious
Avast	Win32:MsfShell-H [Trj]
ClamAV	Win.Exploit.Meterpreter-9777172-0
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Virus.Win32.Gen.ccmw
MicroWorld-eScan	Gen:Variant.Ransom.Loki.14169
Rising	Trojan.ShellCode!1.C856 (CLASSIC)
Emsisoft	Gen:Variant.Ransom.Loki.14169 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
Zillya	Trojan.Rozena.Win32.233780
McAfeeD	Real Protect-LS!3D31BF5DB5ED
Trapmine	malicious.high.ml.score
CTX	exe.ransomware.loki
Sophos	ATK/SwrortPk-B
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.Generic.gvrpn
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan/Win32.Metasploit.a
Kingsoft	malware.kb.a.1000
Gridinsoft	Risk.Win32.Gen.sb!s1
Xcitium	TrojWare.Win32.Rozena.QR@8esbvx
Microsoft	HackTool:Win32/Meterpreter.A!dll
ZoneAlarm	ATK/SwrortPk-B
GData	Win32.Malware.Rozena.F
Varist	W32/Trojan.QGXH-4825
AhnLab-V3	Trojan/Win.Swrort.R602446
Acronis	suspicious
McAfee	GenericRXSN-HT!3D31BF5DB5ED
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Generic.Malware.AI.DDS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (30 events)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49161
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49175
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49177
dead_host	182.92.113.13:5555
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49163
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49183

svchost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All