Summary

44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6

File 44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6

Summary
Download Resubmit sample

Size 65.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5 d862bea90e5b25f21cafa58b5f79dd50
SHA1 272c9abfdb9ad4521019e280e827d5a76711bad3
SHA256 44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6
SHA512
53c00c57e2b7c33d2b88d9b5d9107bc4ef38863719b85e3f8a4a51d53894af26a109a112769340f2718d77293d4a21796eda2d59a0f80650369a8dcf6b226b18
CRC32 868899EB
ssdeep None
Yara
  • suspicious_packer_section - The packer/protector section names/keywords

Score

This file is very suspicious, with a score of 9.6 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 21, 2025, 12:25 p.m. June 21, 2025, 12:30 p.m. 347 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-20 15:40:44,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpdrdvpd
2025-06-20 15:40:44,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\jKmlpAiIWZZIJBiZDAiVJZzn
2025-06-20 15:40:44,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\pvZWURjWokBPawMopNjGeEA
2025-06-20 15:40:44,280 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-20 15:40:44,280 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-20 15:40:44,842 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-20 15:40:45,046 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-06-20 15:40:45,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-20 15:40:45,046 [analyzer] DEBUG: Started auxiliary module Human
2025-06-20 15:40:45,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-20 15:40:45,046 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-20 15:40:45,125 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-20 15:40:45,125 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-20 15:40:45,125 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-20 15:40:45,125 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-20 15:40:45,265 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6.exe' with arguments '' and pid 2312
2025-06-20 15:40:45,421 [analyzer] DEBUG: Loaded monitor into process with pid 2312
2025-06-20 15:40:46,265 [analyzer] INFO: Process with pid 2312 has terminated
2025-06-20 15:40:46,265 [analyzer] INFO: Process list is empty, terminating analysis.
2025-06-20 15:40:47,453 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-20 15:40:47,453 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-21 12:25:11,933 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:12,969 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:13,999 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:15,024 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:16,051 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:17,077 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:18,103 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:19,452 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:20,504 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:21,551 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:22,594 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:23,658 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:24,701 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:25,730 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:27,103 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:29,255 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:30,381 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:31,502 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:32,595 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:33,686 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:35,020 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:36,171 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:37,447 [cuckoo.core.scheduler] DEBUG: Task #6570697: no machine available yet
2025-06-21 12:25:38,620 [cuckoo.core.scheduler] INFO: Task #6570697: acquired machine win7x6412 (label=win7x6412)
2025-06-21 12:25:38,627 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.212 for task #6570697
2025-06-21 12:25:39,208 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 270445 (interface=vboxnet0, host=192.168.168.212)
2025-06-21 12:25:39,832 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6412
2025-06-21 12:25:40,833 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6412 to vmcloak
2025-06-21 12:28:44,626 [cuckoo.core.guest] INFO: Starting analysis #6570697 on guest (id=win7x6412, ip=192.168.168.212)
2025-06-21 12:28:45,632 [cuckoo.core.guest] DEBUG: win7x6412: not ready yet
2025-06-21 12:28:50,656 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6412, ip=192.168.168.212)
2025-06-21 12:28:50,755 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6412, ip=192.168.168.212, monitor=latest, size=6660546)
2025-06-21 12:28:51,971 [cuckoo.core.resultserver] DEBUG: Task #6570697: live log analysis.log initialized.
2025-06-21 12:28:52,958 [cuckoo.core.resultserver] DEBUG: Task #6570697 is sending a BSON stream
2025-06-21 12:28:53,316 [cuckoo.core.resultserver] DEBUG: Task #6570697 is sending a BSON stream
2025-06-21 12:28:54,218 [cuckoo.core.resultserver] DEBUG: Task #6570697: File upload for 'shots/0001.jpg'
2025-06-21 12:28:54,232 [cuckoo.core.resultserver] DEBUG: Task #6570697 uploaded file length: 133465
2025-06-21 12:28:55,325 [cuckoo.core.resultserver] DEBUG: Task #6570697: File upload for 'curtain/1750426847.34.curtain.log'
2025-06-21 12:28:55,328 [cuckoo.core.resultserver] DEBUG: Task #6570697 uploaded file length: 36
2025-06-21 12:28:55,426 [cuckoo.core.resultserver] DEBUG: Task #6570697: File upload for 'sysmon/1750426847.44.sysmon.xml'
2025-06-21 12:28:55,432 [cuckoo.core.resultserver] DEBUG: Task #6570697 uploaded file length: 291010
2025-06-21 12:28:56,296 [cuckoo.core.resultserver] DEBUG: Task #6570697 had connection reset for <Context for LOG>
2025-06-21 12:28:57,603 [cuckoo.core.guest] INFO: win7x6412: analysis completed successfully
2025-06-21 12:28:57,620 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-21 12:28:57,656 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-21 12:28:59,626 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6412 to path /srv/cuckoo/cwd/storage/analyses/6570697/memory.dmp
2025-06-21 12:28:59,633 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6412
2025-06-21 12:30:57,953 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.212 for task #6570697
2025-06-21 12:30:58,576 [cuckoo.core.scheduler] DEBUG: Released database task #6570697
2025-06-21 12:30:58,639 [cuckoo.core.scheduler] INFO: Task #6570697: analysis procedure completed

Signatures

Yara rule detected for file (1 event)
description The packer/protector section names/keywords rule suspicious_packer_section
Allocates read-write-execute memory (usually to unpack itself) (1 event)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2312
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .cikos
The executable uses a known packer (1 event)
packer PECompact 2.xx --> BitSum Technologies
One or more processes crashed (2 events)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x76f19f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x76f19f45

exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 e7 25 fd
exception.symbol: 44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6+0x3686
exception.instruction: mov dword ptr [eax], ecx
exception.module: 44b355b93ca69a24573eba2331e3864f6fad0a76baf69bb0013297864fd08ba6.exe
exception.exception_code: 0xc0000005
exception.offset: 13958
exception.address: 0x403686
registers.esp: 1638276
registers.edi: 0
registers.eax: 0
registers.ebp: 1638292
registers.edx: 4208240
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x4c2032
0x4c1a77

exception.instruction_r: 91 4b 9a e7 59 27 e2 e9 51 b9 9c 32 c1 19 ad e6
exception.instruction: xchg eax, ecx
exception.exception_code: 0x80000004
exception.symbol:
exception.address: 0x4c0033
registers.esp: 1638120
registers.edi: 4981812
registers.eax: 4980777
registers.ebp: 1638164
registers.edx: 2990
registers.ebx: 3065104
registers.esi: 4981811
registers.ecx: 2991
1 0 0
The binary likely contains encrypted or compressed data indicative of a packer (3 events)
section {u'size_of_data': u'0x0000c600', u'virtual_address': u'0x00001000', u'entropy': 7.996272003769068, u'name': u'.cikos', u'virtual_size': u'0x0002e000'} entropy 7.99627200377 description A section with a high entropy has been found
section {u'size_of_data': u'0x00002000', u'virtual_address': u'0x0002f000', u'entropy': 7.547695357338245, u'name': u'.rsrc', u'virtual_size': u'0x00002000'} entropy 7.54769535734 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)
G Data Antivirus (Windows) Virus: Trojan.Agent.EVKN (Engine A)
Avast Core Security (Linux) Win32:Evo-gen [Trj]
C4S ClamAV (Linux) Win.Malware.Swisyn-6911464-0
Trellix (Linux) W32/Swisyn.ag virus
WithSecure (Linux) Trojan.TR/Crypt.PEPM.Gen
eScan Antivirus (Linux) Trojan.Agent.EVKN(DB)
ESET Security (Windows) Win32/VB.OSK trojan
Sophos Anti-Virus (Linux) Troj/VB-JVT
DrWeb Antivirus (Linux) Trojan.Siggen6.54687
ClamAV (Linux) Win.Malware.Swisyn-6911464-0
Bitdefender Antivirus (Linux) Trojan.Agent.EVKN
Emsisoft Commandline Scanner (Windows) Trojan.Agent.EVKN (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.