Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 25, 2021, 3:16 p.m.	June 25, 2021, 3:24 p.m.

Size	7.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`51707a312ec0701a9d63f87259ab6657`
SHA256	`be5abd65ddbe919fb56b35427c73544aed9b37082a169a162b00bfb8b07ef943`
CRC32	`96B40914`
ssdeep	`196608:PlvV4N05bH2UBGKJ3jBb5Nvj/mAiIdEsXKvyjoZU:PlvV4NfO939TvLmsEOKD`
Yara	NPKI_Zero - File included NPKI VMProtect_Zero - VMProtect packed file IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature

XyliBot.exe "C:\Users\test22\AppData\Local\Temp\XyliBot.exe"
3024

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)

section	.itext
section	.didata
section	.vmp0
section	.vmp1
section	.debug
section	.vmp2
section	.vmp3

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 25, 2021, 3:16 p.m.	stacktrace: TMethodImplementationIntercept+0x225356 dbkFCallWrapperAddr-0xe5a66 xylibot+0x302bd6 @ 0x702bd6 TMethodImplementationIntercept+0x225356 dbkFCallWrapperAddr-0xe5a66 xylibot+0x302bd6 @ 0x702bd6 TMethodImplementationIntercept+0x22898e dbkFCallWrapperAddr-0xe242e xylibot+0x30620e @ 0x70620e TMethodImplementationIntercept+0x296617 dbkFCallWrapperAddr-0x747a5 xylibot+0x373e97 @ 0x773e97 TMethodImplementationIntercept+0x13df07 dbkFCallWrapperAddr-0x1cceb5 xylibot+0x21b787 @ 0x61b787 TMethodImplementationIntercept+0x79f0d dbkFCallWrapperAddr-0x290eaf xylibot+0x15778d @ 0x55778d TMethodImplementationIntercept+0x7e9c4 dbkFCallWrapperAddr-0x28c3f8 xylibot+0x15c244 @ 0x55c244 TMethodImplementationIntercept+0x13e9d6 dbkFCallWrapperAddr-0x1cc3e6 xylibot+0x21c256 @ 0x61c256 TMethodImplementationIntercept+0x79b47 dbkFCallWrapperAddr-0x291275 xylibot+0x1573c7 @ 0x5573c7 TMethodImplementationIntercept+0x7dd3a dbkFCallWrapperAddr-0x28d082 xylibot+0x15b5ba @ 0x55b5ba TMethodImplementationIntercept+0x7de49 dbkFCallWrapperAddr-0x28cf73 xylibot+0x15b6c9 @ 0x55b6c9 TMethodImplementationIntercept+0x80ab7 dbkFCallWrapperAddr-0x28a305 xylibot+0x15e337 @ 0x55e337 TMethodImplementationIntercept+0x7e9c4 dbkFCallWrapperAddr-0x28c3f8 xylibot+0x15c244 @ 0x55c244 TMethodImplementationIntercept+0x13e9d6 dbkFCallWrapperAddr-0x1cc3e6 xylibot+0x21c256 @ 0x61c256 TMethodImplementationIntercept+0x79b47 dbkFCallWrapperAddr-0x291275 xylibot+0x1573c7 @ 0x5573c7 TMethodImplementationIntercept+0x7857f dbkFCallWrapperAddr-0x29283d xylibot+0x155dff @ 0x555dff TMethodImplementationIntercept+0x2f926f dbkFCallWrapperAddr-0x11b4d xylibot+0x3d6aef @ 0x7d6aef BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635136 registers.edi: 59964464 registers.eax: 1635136 registers.ebp: 1635216 registers.edx: 0 registers.ebx: 7351254 registers.esi: 7351254 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 25, 2021, 3:16 p.m.

stacktrace:

TMethodImplementationIntercept+0x225356 dbkFCallWrapperAddr-0xe5a66 xylibot+0x302bd6 @ 0x702bd6
TMethodImplementationIntercept+0x225356 dbkFCallWrapperAddr-0xe5a66 xylibot+0x302bd6 @ 0x702bd6
TMethodImplementationIntercept+0x22898e dbkFCallWrapperAddr-0xe242e xylibot+0x30620e @ 0x70620e
TMethodImplementationIntercept+0x296617 dbkFCallWrapperAddr-0x747a5 xylibot+0x373e97 @ 0x773e97
TMethodImplementationIntercept+0x13df07 dbkFCallWrapperAddr-0x1cceb5 xylibot+0x21b787 @ 0x61b787
TMethodImplementationIntercept+0x79f0d dbkFCallWrapperAddr-0x290eaf xylibot+0x15778d @ 0x55778d
TMethodImplementationIntercept+0x7e9c4 dbkFCallWrapperAddr-0x28c3f8 xylibot+0x15c244 @ 0x55c244
TMethodImplementationIntercept+0x13e9d6 dbkFCallWrapperAddr-0x1cc3e6 xylibot+0x21c256 @ 0x61c256
TMethodImplementationIntercept+0x79b47 dbkFCallWrapperAddr-0x291275 xylibot+0x1573c7 @ 0x5573c7
TMethodImplementationIntercept+0x7dd3a dbkFCallWrapperAddr-0x28d082 xylibot+0x15b5ba @ 0x55b5ba
TMethodImplementationIntercept+0x7de49 dbkFCallWrapperAddr-0x28cf73 xylibot+0x15b6c9 @ 0x55b6c9
TMethodImplementationIntercept+0x80ab7 dbkFCallWrapperAddr-0x28a305 xylibot+0x15e337 @ 0x55e337
TMethodImplementationIntercept+0x7e9c4 dbkFCallWrapperAddr-0x28c3f8 xylibot+0x15c244 @ 0x55c244
TMethodImplementationIntercept+0x13e9d6 dbkFCallWrapperAddr-0x1cc3e6 xylibot+0x21c256 @ 0x61c256
TMethodImplementationIntercept+0x79b47 dbkFCallWrapperAddr-0x291275 xylibot+0x1573c7 @ 0x5573c7
TMethodImplementationIntercept+0x7857f dbkFCallWrapperAddr-0x29283d xylibot+0x155dff @ 0x555dff
TMethodImplementationIntercept+0x2f926f dbkFCallWrapperAddr-0x11b4d xylibot+0x3d6aef @ 0x7d6aef
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1635136
registers.edi: 59964464
registers.eax: 1635136
registers.ebp: 1635216
registers.edx: 0
registers.ebx: 7351254
registers.esi: 7351254
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4009984 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 12288 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x77530000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ac0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72af2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 25, 2021, 3:16 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00787e00', u'virtual_address': u'0x0137d000', u'entropy': 7.927233820817832, u'name': u'.vmp3', u'virtual_size': u'0x00787dd8'}

entropy

7.92723382082

description

A section with a high entropy has been found

entropy

0.991131675342

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (4 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect
section	.vmp3	description	Section name indicates VMProtect

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.51707a312ec0701a
Cylance	Unsafe
Cybereason	malicious.12ec07
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Sophos	ML/PE-A
McAfee-GW-Edition	BehavesLike.Win32.Generic.wc
Gridinsoft	Trojan.Heur!.03252021
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win.Reputation.C4390070
Malwarebytes	Malware.AI.3417989762
Rising	Malware.Heuristic!ET#88% (RDMK:cmRtazp0SVt22MTEXjkqrmxWs2tJ)
SentinelOne	Static AI - Malicious PE
eGambit	Unsafe.AI_Score_99%
BitDefenderTheta	Gen:NN.ZexaF.34758.@@0@aGQ3W2ni
MaxSecure	Trojan.Malware.300983.susgen

XyliBot.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All