Summary

4b94270d77479578ce5d88659bc8e76024c8456578392a341971fbe006e01963.exe

File 4b94270d77479578ce5d88659bc8e76024c8456578392a341971fbe006e01963.exe

Summary
Download Resubmit sample

Size 1.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6b99e07b50a94776c2b4a22e4abb993d
SHA1 ca0082da4b86c40260d21a28297100bfae584064
SHA256 4b94270d77479578ce5d88659bc8e76024c8456578392a341971fbe006e01963
SHA512
7e270dd975d0381dd68c3aa46b21b74e312fc95a1cd590375f5a7b552d1387a171af871c9f8860dcc0a5e377764e205845a584ba01890f2f1787b47f9cfa50ec
CRC32 F66420E4
ssdeep None
Yara
  • anti_dbg - Checks if being debugged
  • network_tcp_listen - Listen for incoming communication
  • network_tcp_socket - Communications over RAW socket
  • network_dns - Communications use DNS
  • screenshot - Take screenshot
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Oct. 13, 2025, 6:44 a.m. Oct. 13, 2025, 6:47 a.m. 209 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-10-13 06:43:57,000 [analyzer] DEBUG: Starting analyzer from: C:\tmp2pjrvv
2025-10-13 06:43:57,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\zpCsvuLEvZyTFQYkiczsZhtFvP
2025-10-13 06:43:57,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\FLWzGkzDdnQMQXtUDYIBEhKYF
2025-10-13 06:43:57,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-10-13 06:43:57,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-10-13 06:43:57,733 [analyzer] DEBUG: Started auxiliary module Disguise
2025-10-13 06:43:57,953 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-10-13 06:43:57,953 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-10-13 06:43:57,953 [analyzer] DEBUG: Started auxiliary module Human
2025-10-13 06:43:57,953 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-10-13 06:43:57,953 [analyzer] DEBUG: Started auxiliary module Reboot
2025-10-13 06:43:58,092 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-10-13 06:43:58,092 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-10-13 06:43:58,092 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-10-13 06:43:58,092 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-10-13 06:43:58,233 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4b94270d77479578ce5d88659bc8e76024c8456578392a341971fbe006e01963.exe' with arguments '' and pid 2784
2025-10-13 06:43:58,421 [analyzer] DEBUG: Loaded monitor into process with pid 2784
2025-10-13 05:45:37,992 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-10-13 05:45:38,257 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2784.
2025-10-13 05:45:38,710 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-10-13 05:45:38,710 [lib.api.process] INFO: Successfully terminated process with pid 2784.
2025-10-13 05:45:38,710 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-10-13 06:44:12,560 [cuckoo.core.scheduler] INFO: Task #7030552: acquired machine win7x648 (label=win7x648)
2025-10-13 06:44:12,563 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.208 for task #7030552
2025-10-13 06:44:12,871 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 469147 (interface=vboxnet0, host=192.168.168.208)
2025-10-13 06:44:17,279 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x648
2025-10-13 06:44:17,936 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x648 to vmcloak
2025-10-13 06:44:54,991 [cuckoo.core.guest] INFO: Starting analysis #7030552 on guest (id=win7x648, ip=192.168.168.208)
2025-10-13 06:44:56,060 [cuckoo.core.guest] DEBUG: win7x648: not ready yet
2025-10-13 06:45:01,220 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x648, ip=192.168.168.208)
2025-10-13 06:45:06,108 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x648, ip=192.168.168.208, monitor=latest, size=6660546)
2025-10-13 06:45:07,750 [cuckoo.core.resultserver] DEBUG: Task #7030552: live log analysis.log initialized.
2025-10-13 06:45:08,684 [cuckoo.core.resultserver] DEBUG: Task #7030552 is sending a BSON stream
2025-10-13 06:45:09,105 [cuckoo.core.resultserver] DEBUG: Task #7030552 is sending a BSON stream
2025-10-13 06:45:09,983 [cuckoo.core.resultserver] DEBUG: Task #7030552: File upload for 'shots/0001.jpg'
2025-10-13 06:45:10,060 [cuckoo.core.resultserver] DEBUG: Task #7030552 uploaded file length: 146121
2025-10-13 06:45:23,316 [cuckoo.core.guest] DEBUG: win7x648: analysis #7030552 still processing
2025-10-13 06:45:38,641 [cuckoo.core.resultserver] DEBUG: Task #7030552: File upload for 'curtain/1760327138.48.curtain.log'
2025-10-13 06:45:38,673 [cuckoo.core.resultserver] DEBUG: Task #7030552 uploaded file length: 36
2025-10-13 06:45:38,878 [cuckoo.core.resultserver] DEBUG: Task #7030552: File upload for 'sysmon/1760327138.71.sysmon.xml'
2025-10-13 06:45:39,005 [cuckoo.core.guest] INFO: win7x648: analysis completed successfully
2025-10-13 06:45:39,077 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-10-13 06:45:39,127 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-10-13 06:45:39,139 [cuckoo.core.resultserver] DEBUG: Task #7030552 uploaded file length: 942846
2025-10-13 06:45:39,959 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x648 to path /srv/cuckoo/cwd/storage/analyses/7030552/memory.dmp
2025-10-13 06:45:39,988 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x648
2025-10-13 06:45:41,107 [cuckoo.core.resultserver] DEBUG: Task #7030552: File upload for 'shots/0002.jpg'
2025-10-13 06:45:41,198 [cuckoo.core.resultserver] DEBUG: Task #7030552 uploaded file length: 133498
2025-10-13 06:45:41,230 [cuckoo.core.resultserver] DEBUG: Task #7030552 had connection reset for <Context for LOG>
2025-10-13 06:47:40,817 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.208 for task #7030552
2025-10-13 06:47:41,413 [cuckoo.core.scheduler] DEBUG: Released database task #7030552
2025-10-13 06:47:41,457 [cuckoo.core.scheduler] INFO: Task #7030552: analysis procedure completed

Signatures

Yara rules detected for file (9 events)
description Checks if being debugged rule anti_dbg
description Listen for incoming communication rule network_tcp_listen
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Take screenshot rule screenshot
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
Checks if process is being debugged by a debugger (1 event)
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)
section .00cfg
section .voltbl
The file contains an unknown PE resource name possibly indicative of a packer (1 event)
resource name None
The binary likely contains encrypted or compressed data indicative of a packer (3 events)
section {u'size_of_data': u'0x0005ac00', u'virtual_address': u'0x00109000', u'entropy': 7.826598818837417, u'name': u'.rsrc', u'virtual_size': u'0x0005ab48'} entropy 7.82659881884 description A section with a high entropy has been found
section {u'size_of_data': u'0x0000b400', u'virtual_address': u'0x00164000', u'entropy': 6.882151568761567, u'name': u'.reloc', u'virtual_size': u'0x0000b400'} entropy 6.88215156876 description A section with a high entropy has been found
entropy 0.284122562674 description Overall entropy of this PE file is high
Harvests credentials from local FTP client softwares (1 event)
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Razy.15265 (Engine A)
Avast Core Security (Linux) Win32:Evo-gen [Trj]
Trellix (Linux) MalHeur-FAG
WithSecure (Linux) Trojan.TR/Rozena.jinsf
eScan Antivirus (Linux) Gen:Variant.Razy.15265(DB)
ESET Security (Windows) a variant of Win32/Rozena.WI trojan
Sophos Anti-Virus (Linux) Mal/Generic-S
Bitdefender Antivirus (Linux) Gen:Variant.Razy.15265
Kaspersky Standard (Windows) HEUR:Trojan.Win32.Cometer.gen
Emsisoft Commandline Scanner (Windows) Gen:Variant.Razy.15265 (B)
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Rozena.4!c
tehtris Generic.Malware
Cynet Malicious (score: 100)
CAT-QuickHeal Trojan.Ghanarava.1723248232bb993d
Skyhigh BehavesLike.Win32.MalHeur.tc
ALYac Gen:Variant.Razy.15265
Cylance Unsafe
VIPRE Gen:Variant.Razy.15265
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Razy.15265
K7GW Trojan ( 005187541 )
K7AntiVirus Trojan ( 005187541 )
Arcabit Trojan.Razy.D3BA1
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Rozena.WI
APEX Malicious
Avast Win32:Evo-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Cometer.gen
Alibaba Trojan:Win32/Swrort.ffe08c29
MicroWorld-eScan Gen:Variant.Razy.15265
Rising Trojan.ShellCodeRunner!1.F3BD (CLASSIC)
Emsisoft Gen:Variant.Razy.15265 (B)
F-Secure Trojan.TR/Rozena.jinsf
Zillya Trojan.Generic.Win32.1855874
TrendMicro TROJ_GEN.R002C0DAL25
McAfeeD ti!4B94270D7747
Trapmine malicious.moderate.ml.score
CTX exe.trojan.rozena
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Cometer.cwj
Google Detected
Avira TR/Rozena.jinsf
Antiy-AVL Trojan/Win32.Cometer
Kingsoft Win32.Trojan.Cometer.gen
Xcitium Malware@#304uyhez9tt25
Microsoft Trojan:Win32/Swrort!pz
GData Gen:Variant.Razy.15265
Varist W32/Rozena.HR.gen!Eldorado
AhnLab-V3 Trojan/Win.FAG.C5564740
Acronis suspicious
VBA32 BScope.TrojanDownloader.Upatre
TACHYON Trojan/W32.Cometer.1471488.B
DeepInstinct MALICIOUS
Malwarebytes Floxif.Virus.FileInfector.DDS
Ikarus Trojan.Agent
Panda Trj/Genetic.gen
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.