Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 29, 2025, 10:29 a.m.	April 29, 2025, 10:36 a.m.

Size	250.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`310c1b76fbf1b164cc59a158949d24f3`
SHA256	`138b3883e8ccf6496ae1d5f9499a8dda3e46be499eed57d054d810079b91ecb2`
CRC32	`E4C9ADC5`
ssdeep	`6144:P6AfoFv2O72QFbFB/lkyO4k/v9bdUkbz:SAQFuS2QFhjkysw`
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult Malicious_Packer_Zero - Malicious Packer RedLine_Stealer_b_Zero - RedLine stealer Is_DotNET_EXE - (no description) Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file detect_Redline_Stealer_V2 - (no description)

FreePhotoShop%20Meme%20Coin%20Packs.exe "C:\Users\test22\AppData\Local\Temp\FreePhotoShop%20Meme%20Coin%20Packs.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 29, 2025, 10:29 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 29, 2025, 10:29 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 29, 2025, 10:29 a.m.			0	0
IsDebuggerPresent April 29, 2025, 10:29 a.m.			0	0
IsDebuggerPresent April 29, 2025, 10:29 a.m.			0	0
IsDebuggerPresent April 29, 2025, 10:29 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 29, 2025, 10:29 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00490000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 29, 2025, 10:29 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.DataStealer.i!c
CAT-QuickHeal	Trojan.Ghanarava.17457931919d24f3
Skyhigh	Artemis!Trojan
ALYac	Trojan.GenericKD.76268388
Cylance	Unsafe
VIPRE	Trojan.GenericKD.76268388
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.76268388
K7GW	Spyware ( 0056dd401 )
K7AntiVirus	Spyware ( 0056dd401 )
Arcabit	Trojan.Generic.D48BC364
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	Infostealer
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of MSIL/PSW.Agent.RXP
Avast	Win32:MalwareX-gen [Pws]
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealer.gen
Alibaba	TrojanPSW:MSIL/Stealgen.abb06039
NANO-Antivirus	Trojan.Win32.Stealer.kwxwkr
MicroWorld-eScan	Trojan.GenericKD.76268388
Rising	Stealer.Phemedrone!1.F3D5 (CLASSIC)
Emsisoft	Trojan.GenericKD.76268388 (B)
F-Secure	Heuristic.HEUR/AGEN.1307370
DrWeb	Trojan.PWS.Stealer.41994
Zillya	Trojan.Agent.Win32.4219411
TrendMicro	TROJ_GEN.R002C0DDF25
McAfeeD	Real Protect-LS!310C1B76FBF1
CTX	exe.trojan.msil
Sophos	Troj/Steal-FDX
SentinelOne	Static AI - Malicious PE
Webroot	Win.Redline.Stealer
Google	Detected
Avira	HEUR/AGEN.1307370
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	PWS:MSIL/Stealgen.GA!MTB
ViRobot	Trojan.Win.Z.Datastealer.256000.P
ZoneAlarm	Troj/Steal-FDX
GData	MSIL.Trojan-Stealer.DataStealer.B
Varist	W32/MSIL_Agent.FTF.gen!Eldorado
AhnLab-V3	Trojan/Win.Evital.C5728862
McAfee	Artemis!310C1B76FBF1
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.InfoStealer.gen.D
Malwarebytes	Spyware.StormKitty.MSIL
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9Z
Tencent	Malware.Win32.Gencirc.11df6ad4
huorong	TrojanSpy/Stealer.gg

FreePhotoShop%20Meme%20Coin%20Packs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All