popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

PKL.exe

PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 28, 2021, 8:04 a.m. May 28, 2021, 8:06 a.m.
Size 84.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b375d47d63b41b7e1aca548742b01382
SHA256 ef84e13a9a79dd2831474febccbc8a107a1b92d37fd8a6e26669d851835ddfc2
CRC32 2C59209E
ssdeep 768:1cnpIFooimo5FSc0914v76Z2mCgE/GyvQzWaTSjYgHgnzZm9UGTw9G8jckaQR9BJ:mngdo5011nVCruwpeSrHgnzUfTRrjM
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74d483ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74de01fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x754a1315
ConvertSidToStringSidA+0x78e4 NotifyChangeEventLog-0x7635 advapi32+0x3920e @ 0x7547920e
New_advapi32_RegDeleteKeyW@8+0x3a New_advapi32_RegDeleteValueA@8-0x126 @ 0x73cb2dd1
RegDeleteKeyA+0x32 NotifyServiceStatusChangeA-0x438b advapi32+0x2a8e9 @ 0x7546a8e9
New_advapi32_RegDeleteKeyA@8+0xe4 New_advapi32_RegDeleteKeyW@8-0x7c @ 0x73cb2d1b
pkl+0xe349 @ 0x40e349
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
pkl+0x20e0 @ 0x4020e0
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
pkl+0x14ba @ 0x4014ba
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x74d483d2
registers.esp: 1632780
registers.edi: 1967652752
registers.eax: 48768
registers.ebp: 1632820
registers.edx: 0
registers.ebx: 1633920
registers.esi: 1
registers.ecx: 48768
1 0 0

__exception__

 stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x74d483ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x74de01fe
RegSetValueA+0x224 GetServiceKeyNameA-0xb2f advapi32+0x61065 @ 0x754a1065
ConvertSidToStringSidA+0x7931 NotifyChangeEventLog-0x75e8 advapi32+0x3925b @ 0x7547925b
New_advapi32_RegDeleteKeyW@8+0x3a New_advapi32_RegDeleteValueA@8-0x126 @ 0x73cb2dd1
RegDeleteKeyA+0x32 NotifyServiceStatusChangeA-0x438b advapi32+0x2a8e9 @ 0x7546a8e9
New_advapi32_RegDeleteKeyA@8+0xe4 New_advapi32_RegDeleteKeyW@8-0x7c @ 0x73cb2d1b
pkl+0xe349 @ 0x40e349
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
pkl+0x20e0 @ 0x4020e0
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
pkl+0x14ba @ 0x4014ba
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x74d483d2
registers.esp: 1632780
registers.edi: 1967651576
registers.eax: 48768
registers.ebp: 1632820
registers.edx: 0
registers.ebx: 1633920
registers.esi: 1
registers.ecx: 48768
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 804
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00500000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

EnumServicesStatusA

 service_handle: 0x002d2ca0
service_type: 48
service_status: 3
0 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.75481
FireEye Generic.mg.b375d47d63b41b7e
CAT-QuickHeal Trojan.Multi
Malwarebytes Trojan.MalPack.VB
K7AntiVirus Trojan ( 0057cff61 )
Alibaba Trojan:Win32/Injector.04462a84
K7GW Trojan ( 0057cff61 )
BitDefenderTheta Gen:NN.ZevbaF.34692.fm0@aC5ms3di
Cyren W32/VB.TF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EPKF
APEX Malicious
Paloalto generic.ml
ClamAV Win.Dropper.Vebzenpak-9865056-0
Kaspersky Backdoor.MSIL.NanoBot.bemw
BitDefender Trojan.GenericKDZ.75481
AegisLab Trojan.Multi.Generic.4!c
Rising Trojan.Injector!8.C4 (CLOUD)
Ad-Aware Trojan.GenericKDZ.75481
Sophos Mal/Generic-S
McAfee-GW-Edition PWS-FCZE!B375D47D63B4
Emsisoft Trojan.GenericKDZ.75481 (B)
SentinelOne Static AI - Suspicious PE
MAX malware (ai score=85)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Trojan.GenericKDZ.75481
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.R422703
TrendMicro-HouseCall TROJ_GEN.R002H0CEQ21
Yandex Trojan.AvsArher.bTx33N
Ikarus Trojan.VB.Crypt
Fortinet W32/Injector.EPKFTR
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_60% (W)