Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2021, 7:05 p.m.	June 24, 2021, 8:46 p.m.

Size	4.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`28db2e73f6e4c8b6106a6826cabe31c7`
SHA256	`e68fda286eefe045c2cbd33461be3b893b2fe0e79572ca07a16734dec3686cee`
CRC32	`A48D42DD`
ssdeep	`98304:x6MO+EywUhv1BN6f9X2jEm1qA882673uqNYn3XT:x6MUtUhvfwfmZ26Ty`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

21_Atualizador.GourmetSA.exe "C:\Users\test22\AppData\Local\Temp\21_Atualizador.GourmetSA.exe"
1116

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 24, 2021, 7:05 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2021, 7:05 p.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (4 events)

resource name	DXSKINS
resource name	PNG
resource name	SVG
resource name	UNICODEDATA

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 24, 2021, 7:05 p.m.	stacktrace: TMethodImplementationIntercept+0xa858a2 dbkFCallWrapperAddr-0x2d4f86 21_atualizador+0xb766ba @ 0xf766ba TMethodImplementationIntercept+0xa8f66a dbkFCallWrapperAddr-0x2cb1be 21_atualizador+0xb80482 @ 0xf80482 TMethodImplementationIntercept+0xab1689 dbkFCallWrapperAddr-0x2a919f 21_atualizador+0xba24a1 @ 0xfa24a1 TMethodImplementationIntercept+0x2490d dbkFCallWrapperAddr-0xd35f1b 21_atualizador+0x115725 @ 0x515725 TMethodImplementationIntercept+0x22a6e dbkFCallWrapperAddr-0xd37dba 21_atualizador+0x113886 @ 0x513886 __dbk_fcall_wrapper+0x75ca9 TMethodImplementationIntercept-0x67bc3 21_atualizador+0x89255 @ 0x489255 __dbk_fcall_wrapper+0x75832 TMethodImplementationIntercept-0x6803a 21_atualizador+0x88dde @ 0x488dde __dbk_fcall_wrapper+0x7516e TMethodImplementationIntercept-0x686fe 21_atualizador+0x8871a @ 0x48871a __dbk_fcall_wrapper+0x75150 TMethodImplementationIntercept-0x6871c 21_atualizador+0x886fc @ 0x4886fc __dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e __dbk_fcall_wrapper+0x751e4 TMethodImplementationIntercept-0x68688 21_atualizador+0x88790 @ 0x488790 __dbk_fcall_wrapper+0x75121 TMethodImplementationIntercept-0x6874b 21_atualizador+0x886cd @ 0x4886cd __dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e __dbk_fcall_wrapper+0x6fbeb TMethodImplementationIntercept-0x6dc81 21_atualizador+0x83197 @ 0x483197 __dbk_fcall_wrapper+0x631ea TMethodImplementationIntercept-0x7a682 21_atualizador+0x76796 @ 0x476796 __dbk_fcall_wrapper+0x68b0c TMethodImplementationIntercept-0x74d60 21_atualizador+0x7c0b8 @ 0x47c0b8 __dbk_fcall_wrapper+0x68b9a TMethodImplementationIntercept-0x74cd2 21_atualizador+0x7c146 @ 0x47c146 __dbk_fcall_wrapper+0x82bd6 TMethodImplementationIntercept-0x5ac96 21_atualizador+0x96182 @ 0x496182 TMethodImplementationIntercept+0x190131 dbkFCallWrapperAddr-0xbca6f7 21_atualizador+0x280f49 @ 0x680f49 TMethodImplementationIntercept+0xd3875c dbkFCallWrapperAddr-0x220cc 21_atualizador+0xe29574 @ 0x1229574 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636792 registers.edi: 50523708 registers.eax: 1636792 registers.ebp: 1636872 registers.edx: 0 registers.ebx: 50523649 registers.esi: 1 registers.ecx: 7	1	0	0
__exception__ June 24, 2021, 7:05 p.m.	stacktrace: __dbk_fcall_wrapper+0x75650 TMethodImplementationIntercept-0x6821c 21_atualizador+0x88bfc @ 0x488bfc __dbk_fcall_wrapper+0x75891 TMethodImplementationIntercept-0x67fdb 21_atualizador+0x88e3d @ 0x488e3d __dbk_fcall_wrapper+0x7516e TMethodImplementationIntercept-0x686fe 21_atualizador+0x8871a @ 0x48871a __dbk_fcall_wrapper+0x75150 TMethodImplementationIntercept-0x6871c 21_atualizador+0x886fc @ 0x4886fc __dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e __dbk_fcall_wrapper+0x751e4 TMethodImplementationIntercept-0x68688 21_atualizador+0x88790 @ 0x488790 __dbk_fcall_wrapper+0x75121 TMethodImplementationIntercept-0x6874b 21_atualizador+0x886cd @ 0x4886cd __dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e __dbk_fcall_wrapper+0x6fbeb TMethodImplementationIntercept-0x6dc81 21_atualizador+0x83197 @ 0x483197 __dbk_fcall_wrapper+0x631ea TMethodImplementationIntercept-0x7a682 21_atualizador+0x76796 @ 0x476796 __dbk_fcall_wrapper+0x68b0c TMethodImplementationIntercept-0x74d60 21_atualizador+0x7c0b8 @ 0x47c0b8 __dbk_fcall_wrapper+0x68b9a TMethodImplementationIntercept-0x74cd2 21_atualizador+0x7c146 @ 0x47c146 __dbk_fcall_wrapper+0x82bd6 TMethodImplementationIntercept-0x5ac96 21_atualizador+0x96182 @ 0x496182 TMethodImplementationIntercept+0x190131 dbkFCallWrapperAddr-0xbca6f7 21_atualizador+0x280f49 @ 0x680f49 TMethodImplementationIntercept+0xd3875c dbkFCallWrapperAddr-0x220cc 21_atualizador+0xe29574 @ 0x1229574 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1634788 registers.edi: 1637472 registers.eax: 1634788 registers.ebp: 1634868 registers.edx: 0 registers.ebx: 50523816 registers.esi: 0 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 24, 2021, 7:05 p.m.

stacktrace:

TMethodImplementationIntercept+0xa858a2 dbkFCallWrapperAddr-0x2d4f86 21_atualizador+0xb766ba @ 0xf766ba
TMethodImplementationIntercept+0xa8f66a dbkFCallWrapperAddr-0x2cb1be 21_atualizador+0xb80482 @ 0xf80482
TMethodImplementationIntercept+0xab1689 dbkFCallWrapperAddr-0x2a919f 21_atualizador+0xba24a1 @ 0xfa24a1
TMethodImplementationIntercept+0x2490d dbkFCallWrapperAddr-0xd35f1b 21_atualizador+0x115725 @ 0x515725
TMethodImplementationIntercept+0x22a6e dbkFCallWrapperAddr-0xd37dba 21_atualizador+0x113886 @ 0x513886
__dbk_fcall_wrapper+0x75ca9 TMethodImplementationIntercept-0x67bc3 21_atualizador+0x89255 @ 0x489255
__dbk_fcall_wrapper+0x75832 TMethodImplementationIntercept-0x6803a 21_atualizador+0x88dde @ 0x488dde
__dbk_fcall_wrapper+0x7516e TMethodImplementationIntercept-0x686fe 21_atualizador+0x8871a @ 0x48871a
__dbk_fcall_wrapper+0x75150 TMethodImplementationIntercept-0x6871c 21_atualizador+0x886fc @ 0x4886fc
__dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e
__dbk_fcall_wrapper+0x751e4 TMethodImplementationIntercept-0x68688 21_atualizador+0x88790 @ 0x488790
__dbk_fcall_wrapper+0x75121 TMethodImplementationIntercept-0x6874b 21_atualizador+0x886cd @ 0x4886cd
__dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e
__dbk_fcall_wrapper+0x6fbeb TMethodImplementationIntercept-0x6dc81 21_atualizador+0x83197 @ 0x483197
__dbk_fcall_wrapper+0x631ea TMethodImplementationIntercept-0x7a682 21_atualizador+0x76796 @ 0x476796
__dbk_fcall_wrapper+0x68b0c TMethodImplementationIntercept-0x74d60 21_atualizador+0x7c0b8 @ 0x47c0b8
__dbk_fcall_wrapper+0x68b9a TMethodImplementationIntercept-0x74cd2 21_atualizador+0x7c146 @ 0x47c146
__dbk_fcall_wrapper+0x82bd6 TMethodImplementationIntercept-0x5ac96 21_atualizador+0x96182 @ 0x496182
TMethodImplementationIntercept+0x190131 dbkFCallWrapperAddr-0xbca6f7 21_atualizador+0x280f49 @ 0x680f49
TMethodImplementationIntercept+0xd3875c dbkFCallWrapperAddr-0x220cc 21_atualizador+0xe29574 @ 0x1229574
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1636792
registers.edi: 50523708
registers.eax: 1636792
registers.ebp: 1636872
registers.edx: 0
registers.ebx: 50523649
registers.esi: 1
registers.ecx: 7

__exception__

June 24, 2021, 7:05 p.m.

stacktrace:

__dbk_fcall_wrapper+0x75650 TMethodImplementationIntercept-0x6821c 21_atualizador+0x88bfc @ 0x488bfc
__dbk_fcall_wrapper+0x75891 TMethodImplementationIntercept-0x67fdb 21_atualizador+0x88e3d @ 0x488e3d
__dbk_fcall_wrapper+0x7516e TMethodImplementationIntercept-0x686fe 21_atualizador+0x8871a @ 0x48871a
__dbk_fcall_wrapper+0x75150 TMethodImplementationIntercept-0x6871c 21_atualizador+0x886fc @ 0x4886fc
__dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e
__dbk_fcall_wrapper+0x751e4 TMethodImplementationIntercept-0x68688 21_atualizador+0x88790 @ 0x488790
__dbk_fcall_wrapper+0x75121 TMethodImplementationIntercept-0x6874b 21_atualizador+0x886cd @ 0x4886cd
__dbk_fcall_wrapper+0x81172 TMethodImplementationIntercept-0x5c6fa 21_atualizador+0x9471e @ 0x49471e
__dbk_fcall_wrapper+0x6fbeb TMethodImplementationIntercept-0x6dc81 21_atualizador+0x83197 @ 0x483197
__dbk_fcall_wrapper+0x631ea TMethodImplementationIntercept-0x7a682 21_atualizador+0x76796 @ 0x476796
__dbk_fcall_wrapper+0x68b0c TMethodImplementationIntercept-0x74d60 21_atualizador+0x7c0b8 @ 0x47c0b8
__dbk_fcall_wrapper+0x68b9a TMethodImplementationIntercept-0x74cd2 21_atualizador+0x7c146 @ 0x47c146
__dbk_fcall_wrapper+0x82bd6 TMethodImplementationIntercept-0x5ac96 21_atualizador+0x96182 @ 0x496182
TMethodImplementationIntercept+0x190131 dbkFCallWrapperAddr-0xbca6f7 21_atualizador+0x280f49 @ 0x680f49
TMethodImplementationIntercept+0xd3875c dbkFCallWrapperAddr-0x220cc 21_atualizador+0xe29574 @ 0x1229574
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1634788
registers.edi: 1637472
registers.eax: 1634788
registers.ebp: 1634868
registers.edx: 0
registers.ebx: 50523816
registers.esi: 0
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a12000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 24, 2021, 7:05 p.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00444a00', u'virtual_address': u'0x00d66000', u'entropy': 7.92954260155325, u'name': u'UPX1', u'virtual_size': u'0x00445000'}

entropy

7.92954260155

description

A section with a high entropy has been found

entropy

0.985678845286

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

MicroWorld-eScan	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
McAfee	Artemis!28DB2E73F6E4
Sangfor	Trojan.Win32.Gen.@pKfaKtADdmSb
BitDefenderTheta	AI:Packer.DD3C7E7421
BitDefender	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
Paloalto	generic.ml
Ad-Aware	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
McAfee-GW-Edition	BehavesLike.Win32.PUP.rc
FireEye	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
Emsisoft	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb (B)
GData	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
MAX	malware (ai score=89)
ALYac	Gen:Trojan.Heur3.LPT.@pKfaKtADdmSb
TrendMicro-HouseCall	TROJ_GEN.R06CH09FJ21
MaxSecure	Trojan.Malware.300983.susgen
Cybereason	malicious.3f6e4c

21_Atualizador.GourmetSA.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All