popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

1.exe

PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 5, 2021, 9:21 a.m. July 5, 2021, 9:24 a.m.
Size 515.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7dd61c6a7e7beed8940474434c750877
SHA256 5cac23fe9f8edf06d52ea787cc91b990d8616dae46d1a3afda783ce6fe154469
CRC32 55CE73A7
ssdeep 12288:lfGBwJKPjWbG7fFxI9SteBSBG6DOIjfGi:lOaoqyJxI9TYBxn
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch
185.215.113.32 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.215.113.32:4000 -> 192.168.56.102:49809 2400025 ET DROP Spamhaus DROP Listed Traffic Inbound group 26 Misc Attack

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
resource name None
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 4244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4244
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4244
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000120
filepath: C:\Windows\Tasks\wow64.job
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Windows\Tasks\wow64.job
create_options: 100 (FILE_NON_DIRECTORY_FILE|FILE_SEQUENTIAL_ONLY|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 5 (FILE_SHARE_READ|FILE_SHARE_DELETE)
1 0 0
host 172.217.25.14
host 185.215.113.32
file C:\Windows\Tasks\wow64.job