Summary

4865a75f4ee94e81b2556f951c1ec1fedf2b45dfe280c315d56b19a030ab1067

File 4865a75f4ee94e81b2556f951c1ec1fedf2b45dfe280c315d56b19a030ab1067

Summary
Download Resubmit sample

Size 3.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1e2759ce8cf3bf1a04617231903a0742
SHA1 c515111584f14f9547f40ef5224d846161cb64b2
SHA256 4865a75f4ee94e81b2556f951c1ec1fedf2b45dfe280c315d56b19a030ab1067
SHA512
e628078df2841d0fd324f1358cb0351f4d11c4613f38bbaf15b64e332a8611ac3b61a23c95cc05682ee913586b14e8ca16bfdbc8635d0bb9264fa6fdf270031b
CRC32 F19DA2D3
ssdeep None
Yara
  • APT32_KerrDown - (no description)
  • GenerateTLSClientHelloPacket_Test - (no description)
  • Check_OutputDebugStringA_iat - (no description)
  • anti_dbg - Checks if being debugged
  • network_tcp_listen - Listen for incoming communication
  • network_tcp_socket - Communications over RAW socket
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_private_profile - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE April 22, 2025, 10:56 a.m. April 22, 2025, 11:02 a.m. 308 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-04-21 00:59:47,000 [analyzer] DEBUG: Starting analyzer from: C:\tmphzbxu3
2025-04-21 00:59:47,000 [analyzer] DEBUG: Pipe server name: \??\PIPE\NvwIYpXJOzIOmtDDFlCQ
2025-04-21 00:59:47,000 [analyzer] DEBUG: Log pipe server name: \??\PIPE\cWxnkKPaHLTezpqJsBSBuaYOPE
2025-04-21 00:59:47,280 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-21 00:59:47,280 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-21 00:59:47,717 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-21 00:59:47,921 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-04-21 00:59:47,921 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-21 00:59:47,921 [analyzer] DEBUG: Started auxiliary module Human
2025-04-21 00:59:47,921 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-21 00:59:47,921 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-21 00:59:48,000 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-21 00:59:48,000 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-21 00:59:48,000 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-21 00:59:48,000 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-21 00:59:48,280 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\4865a75f4ee94e81b2556f951c1ec1fedf2b45dfe280c315d56b19a030ab1067.exe' with arguments '' and pid 1772
2025-04-21 00:59:49,280 [analyzer] INFO: Process with pid 1772 has terminated
2025-04-21 00:59:49,280 [analyzer] INFO: Process list is empty, terminating analysis.
2025-04-21 00:59:50,500 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-21 00:59:50,500 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-22 10:56:58,498 [cuckoo.core.scheduler] INFO: Task #6318907: acquired machine win7x6425 (label=win7x6425)
2025-04-22 10:56:58,499 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.225 for task #6318907
2025-04-22 10:56:58,879 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2025681 (interface=vboxnet0, host=192.168.168.225)
2025-04-22 10:57:06,792 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6425
2025-04-22 10:57:07,442 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6425 to vmcloak
2025-04-22 10:59:13,384 [cuckoo.core.guest] INFO: Starting analysis #6318907 on guest (id=win7x6425, ip=192.168.168.225)
2025-04-22 10:59:14,552 [cuckoo.core.guest] DEBUG: win7x6425: not ready yet
2025-04-22 10:59:19,595 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6425, ip=192.168.168.225)
2025-04-22 10:59:19,724 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6425, ip=192.168.168.225, monitor=latest, size=6660546)
2025-04-22 10:59:21,151 [cuckoo.core.resultserver] DEBUG: Task #6318907: live log analysis.log initialized.
2025-04-22 10:59:22,018 [cuckoo.core.resultserver] DEBUG: Task #6318907 is sending a BSON stream
2025-04-22 10:59:23,278 [cuckoo.core.resultserver] DEBUG: Task #6318907: File upload for 'shots/0001.jpg'
2025-04-22 10:59:23,288 [cuckoo.core.resultserver] DEBUG: Task #6318907 uploaded file length: 133536
2025-04-22 10:59:24,539 [cuckoo.core.resultserver] DEBUG: Task #6318907: File upload for 'curtain/1745189990.38.curtain.log'
2025-04-22 10:59:24,543 [cuckoo.core.resultserver] DEBUG: Task #6318907 uploaded file length: 36
2025-04-22 10:59:24,660 [cuckoo.core.resultserver] DEBUG: Task #6318907: File upload for 'sysmon/1745189990.5.sysmon.xml'
2025-04-22 10:59:24,668 [cuckoo.core.resultserver] DEBUG: Task #6318907 uploaded file length: 363290
2025-04-22 10:59:25,393 [cuckoo.core.resultserver] DEBUG: Task #6318907 had connection reset for <Context for LOG>
2025-04-22 10:59:26,757 [cuckoo.core.guest] INFO: win7x6425: analysis completed successfully
2025-04-22 10:59:26,769 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-22 10:59:26,802 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-22 10:59:27,938 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6425 to path /srv/cuckoo/cwd/storage/analyses/6318907/memory.dmp
2025-04-22 10:59:27,939 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6425
2025-04-22 11:02:05,970 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.225 for task #6318907
2025-04-22 11:02:06,707 [cuckoo.core.scheduler] DEBUG: Released database task #6318907
2025-04-22 11:02:06,944 [cuckoo.core.scheduler] INFO: Task #6318907: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description (no description) rule APT32_KerrDown
description (no description) rule GenerateTLSClientHelloPacket_Test
description (no description) rule Check_OutputDebugStringA_iat
description Checks if being debugged rule anti_dbg
description Listen for incoming communication rule network_tcp_listen
description Communications over RAW socket rule network_tcp_socket
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Affect system registries rule win_registry
description Affect private profile rule win_private_profile
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)
section .data1
section .fptable
Foreign language identified in PE resource (50 out of 74 events)
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_CURSOR language LANG_KOREAN filetype AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd "" sublanguage SUBLANG_KOREAN offset 0x003b78c0 size 0x00000cac
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_ICON language LANG_KOREAN filetype Device independent bitmap graphic, 48 x 96 x 32, image size 9600 sublanguage SUBLANG_KOREAN offset 0x003eb500 size 0x000025a8
name RT_DIALOG language LANG_KOREAN filetype data sublanguage SUBLANG_KOREAN offset 0x003afea0 size 0x000000c0
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003eddd8 size 0x000000d0
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003eddd8 size 0x000000d0
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003eddd8 size 0x000000d0
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x003eddd8 size 0x000000d0
name RT_GROUP_CURSOR language LANG_KOREAN filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_KOREAN offset 0x003b8570 size 0x00000014
File has been identified by at least one AntiVirus engine on IRMA as malicious (1 event)
Avast Core Security (Linux) Win32:Evo-gen [Trj]
File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)
Cylance Unsafe
Elastic malicious (moderate confidence)
Avast Win32:Evo-gen [Trj]
McAfeeD ti!4865A75F4EE9
Google Detected
Antiy-AVL Trojan/Win32.Agent
GData Win32.Trojan.Agent.WZIDD5
McAfee Artemis!1E2759CE8CF3
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.2532019707
Ikarus Trojan.Win32.Generic
AVG Win32:Evo-gen [Trj]
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.