Summary

aa1e1659464408ae899fd4f498c747b4e9df4cbe440397f5de2a3c90152f161f

File aa1e1659464408ae899fd4f498c747b4e9df4cbe440397f5de2a3c90152f161f

Summary
Download Resubmit sample

Size 87.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 615a3df7ebb20c750e10c4ee35ebd923
SHA1 ddaed2e97624ffe93c82910e841cadb0edbf1a24
SHA256 aa1e1659464408ae899fd4f498c747b4e9df4cbe440397f5de2a3c90152f161f
SHA512
faa780653fb1bdd561282d742638c0f190b6661e8e696c6f9c9f0e26e0aa8eaafcd88b745f71b36b653314984eb7c3f09b3f766503aed0752dbc0508b264f8d6
CRC32 471157C0
ssdeep None
Yara
  • UPX - (no description)
  • suspicious_packer_section - The packer/protector section names/keywords
  • network_http - Communications over HTTP
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE July 30, 2025, 10:03 p.m. July 30, 2025, 10:10 p.m. 393 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-07-27 07:50:06,030 [analyzer] DEBUG: Starting analyzer from: C:\tmp4w2pkt
2025-07-27 07:50:06,062 [analyzer] DEBUG: Pipe server name: \??\PIPE\yGJpwILpChQKQcaGHYTG
2025-07-27 07:50:06,062 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ODnureKGtoaiBPenSclsdg
2025-07-27 07:50:06,375 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-27 07:50:06,375 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-27 07:50:06,890 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-27 07:50:07,108 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-07-27 07:50:07,108 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-27 07:50:07,108 [analyzer] DEBUG: Started auxiliary module Human
2025-07-27 07:50:07,108 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-27 07:50:07,125 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-27 07:50:07,217 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-27 07:50:07,217 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-27 07:50:07,217 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-27 07:50:07,217 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-27 07:50:07,358 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\aa1e1659464408ae899fd4f498c747b4e9df4cbe440397f5de2a3c90152f161f.exe' with arguments '' and pid 1928
2025-07-27 07:50:08,358 [analyzer] INFO: Process with pid 1928 has terminated
2025-07-27 07:50:08,358 [analyzer] INFO: Process list is empty, terminating analysis.
2025-07-27 07:50:09,608 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-27 07:50:09,608 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-30 22:03:38,411 [cuckoo.core.scheduler] INFO: Task #6791902: acquired machine win7x6423 (label=win7x6423)
2025-07-30 22:03:38,412 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.223 for task #6791902
2025-07-30 22:03:39,121 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2250152 (interface=vboxnet0, host=192.168.168.223)
2025-07-30 22:03:39,490 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6423
2025-07-30 22:03:40,451 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6423 to vmcloak
2025-07-30 22:06:24,947 [cuckoo.core.guest] INFO: Starting analysis #6791902 on guest (id=win7x6423, ip=192.168.168.223)
2025-07-30 22:06:25,952 [cuckoo.core.guest] DEBUG: win7x6423: not ready yet
2025-07-30 22:06:30,999 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6423, ip=192.168.168.223)
2025-07-30 22:06:31,117 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6423, ip=192.168.168.223, monitor=latest, size=6660546)
2025-07-30 22:06:32,558 [cuckoo.core.resultserver] DEBUG: Task #6791902: live log analysis.log initialized.
2025-07-30 22:06:33,724 [cuckoo.core.resultserver] DEBUG: Task #6791902 is sending a BSON stream
2025-07-30 22:06:34,936 [cuckoo.core.resultserver] DEBUG: Task #6791902: File upload for 'shots/0001.jpg'
2025-07-30 22:06:34,961 [cuckoo.core.resultserver] DEBUG: Task #6791902 uploaded file length: 133451
2025-07-30 22:06:36,058 [cuckoo.core.resultserver] DEBUG: Task #6791902: File upload for 'curtain/1753595409.48.curtain.log'
2025-07-30 22:06:36,061 [cuckoo.core.resultserver] DEBUG: Task #6791902 uploaded file length: 36
2025-07-30 22:06:36,185 [cuckoo.core.resultserver] DEBUG: Task #6791902: File upload for 'sysmon/1753595409.61.sysmon.xml'
2025-07-30 22:06:36,241 [cuckoo.core.resultserver] DEBUG: Task #6791902 uploaded file length: 118518
2025-07-30 22:06:37,062 [cuckoo.core.resultserver] DEBUG: Task #6791902 had connection reset for <Context for LOG>
2025-07-30 22:06:38,078 [cuckoo.core.guest] INFO: win7x6423: analysis completed successfully
2025-07-30 22:06:38,096 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-30 22:06:38,116 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-30 22:06:39,903 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6423 to path /srv/cuckoo/cwd/storage/analyses/6791902/memory.dmp
2025-07-30 22:06:39,904 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6423
2025-07-30 22:10:10,750 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.223 for task #6791902
2025-07-30 22:10:11,464 [cuckoo.core.scheduler] DEBUG: Released database task #6791902
2025-07-30 22:10:11,479 [cuckoo.core.scheduler] INFO: Task #6791902: analysis procedure completed

Signatures

Yara rules detected for file (8 events)
description (no description) rule UPX
description The packer/protector section names/keywords rule suspicious_packer_section
description Communications over HTTP rule network_http
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Affect system registries rule win_registry
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
The executable is compressed using UPX (3 events)
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
section UPX2 description Section name indicates UPX
File has been identified by 9 AntiVirus engine on IRMA as malicious (9 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Zusy.389831 (Engine A)
Avast Core Security (Linux) Win32:MalwareX-gen [Misc]
C4S ClamAV (Linux) Win.Dropper.Tiggre-9845940-0
WithSecure (Linux) Trojan.TR/Crypt.ULPM.Gen
eScan Antivirus (Linux) Gen:Variant.Zusy.389831(DB)
Sophos Anti-Virus (Linux) Mal/Generic-S
Bitdefender Antivirus (Linux) Gen:Variant.Zusy.389831
Kaspersky Standard (Windows) VHO:Trojan.Win32.Sdum.gen
Emsisoft Commandline Scanner (Windows) Gen:Variant.Zusy.389831 (B)
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Scar.lF8R
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.1753539664ebd923
Skyhigh BehavesLike.Win32.Generic.mz
ALYac Gen:Variant.Zusy.389831
Cylance Unsafe
VIPRE Gen:Variant.Zusy.389831
Sangfor Trojan.Win32.Save.BlackMoon
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Zusy.389831
K7GW Riskware ( 00584baa1 )
K7AntiVirus Riskware ( 00584baa1 )
Arcabit Trojan.Zusy.D5F2C7
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
APEX Malicious
Avast Win32:MalwareX-gen [Misc]
ClamAV Win.Dropper.Tiggre-9845940-0
Kaspersky VHO:Trojan.Win32.Sdum.gen
Alibaba TrojanPSW:Win32/QQpass.a2ba7667
MicroWorld-eScan Gen:Variant.Zusy.389831
Rising Trojan.Sdum!8.1155F (CLOUD)
Emsisoft Gen:Variant.Zusy.389831 (B)
F-Secure Trojan.TR/Crypt.ULPM.Gen
TrendMicro TROJ_GEN.R002C0DGQ25
McAfeeD Real Protect-LS!615A3DF7EBB2
Trapmine suspicious.low.ml.score
CTX exe.trojan.crypt
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.Multi.lkk
Webroot W32.Trojan.Gen
Google Detected
Avira TR/Crypt.ULPM.Gen
Kingsoft malware.kb.b.992
Gridinsoft Trojan.Win32.Downloader.sa
Xcitium TrojWare.Win32.TrojanDownloader.Tiny.~DN@1kngc6
Microsoft PWS:Win32/QQpass!pz
GData Gen:Variant.Zusy.389831
Varist W32/Blackmoon.AN.gen!Eldorado
AhnLab-V3 Trojan/Win32.Stealer.R143066
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Ikarus Trojan.Crypt
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_GEN.R002C0DGQ25
TrellixENS Artemis!615A3DF7EBB2
Fortinet W32/ULPM.16C0!tr
AVG Win32:MalwareX-gen [Misc]
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.