popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0504.gif

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 6, 2021, 1:28 p.m. April 6, 2021, 1:30 p.m.
Size 117.3KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 937e2c551368757c5e3c3598c41ea7d9
SHA256 cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
CRC32 0F7C0431
ssdeep 1536:tm15JsYYm3GCVS7ZicTJzRVd620ZmB9RMli0msUdqZEACW4jySTLW:eLsacThRVd6pmBPM07vYZEA4/W
Yara
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsDLL - (no description)
  • IsWindowsGUI - (no description)
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .code
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1001f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
process_handle: 0xffffffff
1 0 0
Elastic malicious (high confidence)
FireEye Generic.mg.937e2c551368757c
McAfee Artemis!937E2C551368
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
ESET-NOD32 a variant of Win32/Kryptik.HJZU
APEX Malicious
BitDefender Gen:Variant.Graftor.937823
NANO-Antivirus Virus.Win32.Gen.ccmw
Sophos ML/PE-A + Mal/EncPk-APW
McAfee-GW-Edition BehavesLike.Win32.Dropper.ch
Microsoft Worm:Win32/Gamarue!ml
GData Gen:Variant.Graftor.937823
Cynet Malicious (score: 100)
VBA32 BScope.Malware-Cryptor.MTA
Rising Trojan.Kryptik!8.8 (RDMK:cmRtazrxx4p/WNInKcZKXPPcFSZ9)
SentinelOne Static AI - Malicious PE
Fortinet W32/GenKryptik.FCLW!tr
Qihoo-360 HEUR/QVM40.1.641B.Malware.Gen