Summary

Archive output @ 51ef7e24150302abc28741c58ef56f5c0e58a610dc1a4180cc704b104b3e4921.bin.sample.gz

Summary
Download Resubmit sample

Size 8.3MB
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 2741d1c10084a0652d369407a8082310
SHA1 9a94f88284b5a7abf08b0c89d94b5361efb94b30
SHA256 51ef7e24150302abc28741c58ef56f5c0e58a610dc1a4180cc704b104b3e4921
SHA512
093efdf0a301e0a9964542ec087e46965e05916ea719af8080cfc3bde26faf0fe541ec7e4f2330bb4beeaf77133da9cfe7dbf957bcbd803def24d3ec7b37073a
CRC32 0EEF2DB1
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • WannaCry_Ransomware - Detects WannaCry Ransomware
  • possible_exploit - (no description)
  • crypto_jacking_signatures - case139 - file main.js
  • IMPLANT_6_v1 - Sednit / EVILTOSS Implant by APT28
  • IronTiger_NBDDos_Gh0stvariant_dropper - Iron Tiger Malware - NBDDos Gh0stvariant Dropper
  • WarpStrings - Warp Identifying Strings
  • Warp - Warp
  • memory_shylock - (no description)
  • ZXProxy - (no description)

Score

This archive is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
ARCHIVE April 25, 2025, 3:57 a.m. April 25, 2025, 3:57 a.m. 29 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-04-25 03:57:12,108 [analyzer] DEBUG: Starting analyzer from: C:\tmp564etj
2025-04-25 03:57:12,108 [analyzer] DEBUG: Pipe server name: \??\PIPE\vLhRcfsNQVWtlmqiuakIk
2025-04-25 03:57:12,108 [analyzer] DEBUG: Log pipe server name: \??\PIPE\WITNjPqfFpGESuPtCOaeMuPoZsIczI
2025-04-25 03:57:12,328 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-25 03:57:12,328 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-25 03:57:12,765 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-25 03:57:13,030 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-04-25 03:57:13,030 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-25 03:57:13,030 [analyzer] DEBUG: Started auxiliary module Human
2025-04-25 03:57:13,030 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-25 03:57:13,046 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-25 03:57:13,155 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-25 03:57:13,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-25 03:57:13,171 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-25 03:57:13,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-25 03:57:13,421 [lib.api.process] ERROR: Failed to execute process from path 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\output.exe' with arguments ['bin\\inject-x86.exe', '--app', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\output.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp'] (Error: Command '['bin\\inject-x86.exe', '--app', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\output.exe', '--only-start', '--curdir', 'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp']' returned non-zero exit status 1)

Cuckoo Log

2025-04-25 03:57:16,546 [cuckoo.core.scheduler] INFO: Task #6334450: acquired machine win7x6419 (label=win7x6419)
2025-04-25 03:57:16,547 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.219 for task #6334450
2025-04-25 03:57:16,954 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2860042 (interface=vboxnet0, host=192.168.168.219)
2025-04-25 03:57:16,984 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6419
2025-04-25 03:57:17,683 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6419 to vmcloak
2025-04-25 03:57:26,660 [cuckoo.core.guest] INFO: Starting analysis #6334450 on guest (id=win7x6419, ip=192.168.168.219)
2025-04-25 03:57:27,666 [cuckoo.core.guest] DEBUG: win7x6419: not ready yet
2025-04-25 03:57:32,696 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6419, ip=192.168.168.219)
2025-04-25 03:57:32,761 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6419, ip=192.168.168.219, monitor=latest, size=6660546)
2025-04-25 03:57:34,449 [cuckoo.core.resultserver] DEBUG: Task #6334450: live log analysis.log initialized.
2025-04-25 03:57:35,432 [cuckoo.core.resultserver] DEBUG: Task #6334450 is sending a BSON stream
2025-04-25 03:57:36,783 [cuckoo.core.resultserver] DEBUG: Task #6334450: File upload for 'shots/0001.jpg'
2025-04-25 03:57:36,796 [cuckoo.core.resultserver] DEBUG: Task #6334450 uploaded file length: 133561
2025-04-25 03:57:36,976 [cuckoo.core.guest] WARNING: win7x6419: analysis #6334450 caught an exception
Traceback (most recent call last):
  File "C:/tmp564etj/analyzer.py", line 824, in <module>
    success = analyzer.run()
  File "C:/tmp564etj/analyzer.py", line 673, in run
    pids = self.package.start(self.target)
  File "C:\tmp564etj\modules\packages\exe.py", line 34, in start
    return self.execute(path, args=shlex.split(args))
  File "C:\tmp564etj\lib\common\abstracts.py", line 205, in execute
    "Unable to execute the initial process, analysis aborted."
CuckooPackageError: Unable to execute the initial process, analysis aborted.

2025-04-25 03:57:36,988 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-25 03:57:37,012 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-25 03:57:37,922 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6419 to path /srv/cuckoo/cwd/storage/analyses/6334450/memory.dmp
2025-04-25 03:57:37,923 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6419
2025-04-25 03:57:45,577 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.219 for task #6334450
2025-04-25 03:57:45,578 [cuckoo.core.resultserver] DEBUG: Cancel <Context for LOG> for task 6334450
2025-04-25 03:57:45,897 [cuckoo.core.scheduler] DEBUG: Released database task #6334450
2025-04-25 03:57:45,915 [cuckoo.core.scheduler] INFO: Task #6334450: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description Possibly employs anti-virtualization techniques rule vmdetect
description Detects WannaCry Ransomware rule WannaCry_Ransomware
description (no description) rule possible_exploit
description case139 - file main.js rule crypto_jacking_signatures
description Sednit / EVILTOSS Implant by APT28 rule IMPLANT_6_v1
description Iron Tiger Malware - NBDDos Gh0stvariant Dropper rule IronTiger_NBDDos_Gh0stvariant_dropper
description Warp Identifying Strings rule WarpStrings
description Warp rule Warp
description (no description) rule memory_shylock
description (no description) rule ZXProxy
File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Ulise.385808 (Engine A)
Avast Core Security (Linux) Win32:Agent-AONB [Trj]
C4S ClamAV (Linux) Sanesecurity.Malware.26198.JsHeur.UNOFFICIAL
WithSecure (Linux) Trojan.TR/AVI.Aurora.zzzkw
eScan Antivirus (Linux) Gen:Variant.Ulise.385808(DB)
Sophos Anti-Virus (Linux) Mal/Generic-S
DrWeb Antivirus (Linux) HTML.FishForm.613
ClamAV (Linux) Sanesecurity.Malware.26198.JsHeur.UNOFFICIAL
Bitdefender Antivirus (Linux) Gen:Variant.Ulise.385808
Emsisoft Commandline Scanner (Windows) Gen:Variant.Ulise.385808 (B)
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Aurora.4!c
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.1736146904082310
Skyhigh BehavesLike.Win32.Trojan.rh
ALYac Gen:Variant.Ulise.385808
Cylance Unsafe
VIPRE Gen:Variant.Ulise.385808
Sangfor HackTool.Win64.Mimikatz.uwccg
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Ulise.385808
K7GW Riskware ( 00584baa1 )
K7AntiVirus Riskware ( 00584baa1 )
Arcabit Trojan.Ulise.D5E310
Symantec Trojan.Gen.MBT
Elastic Multi.Trojan.Mythic
Avast Win32:Agent-AONB [Trj]
ClamAV Win.Trojan.Agent-35382
Alibaba Ransom:Win32/GlobeImposter.181220
MicroWorld-eScan Gen:Variant.Ulise.385808
Rising Trojan.EmbVbs!1.D7EE (CLASSIC)
Emsisoft Gen:Variant.Ulise.385808 (B)
F-Secure Trojan.TR/AVI.Aurora.zzzkw
DrWeb HTML.FishForm.613
McAfeeD ti!51EF7E241503
CTX dll.trojan.generic
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Gen:Variant.Ulise.385808
Google Detected
Avira TR/AVI.Aurora.zzzkw
Antiy-AVL Trojan[Ransom]/Win32.Dcrypt.a
Kingsoft Win32.HackTool.CoinMiner.p
Gridinsoft Risk.CoinMiner.A.sb!yf
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.Ulise.385808
Varist W32/ABApplication.NOON-3988
McAfee Artemis!2741D1C10084
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.2739233253
Ikarus Trojan-Spy.Aurora
TrendMicro-HouseCall TROJ_GEN.R002H0CLM24
Tencent Risktool.Win32.Bitcoinminer.16000093
huorong HackTool/CoinMiner.a
MaxSecure Trojan.Malware.121218.susgen
Fortinet W32/PossibleThreat!tr.ransom
AVG Win32:Agent-AONB [Trj]
Paloalto generic.ml
alibabacloud Trojan:Win/Fragtor.c0037aed
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.