Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.15 04:11
LG유플러스, 네트워크 협력사와 동반성장...
11.15 04:11
중고 골프채 사이트 1등골프, 인기 브랜...
11.15 04:11
Safeguarding Healthcar...
11.15 04:11
Musk’s X Sues to Block...
11.15 04:11
[CEO 보안칼럼] “다윗은 언제나 골리...
11.15 04:11
자민경 달팽이 크림, PX 누적 판매 1...
11.15 04:11
라쿠텐·쉽너지, 일본 역직구 판매자 위한...
11.15 04:11
명지대, 서울마이칼리지 점프업 사업 ‘서...
11.15 04:11
JioStar Eyes India Str...
11.15 04:11
Meta to Appeal Orders ...

Summary | ZeroBOX

dol.exe

Malicious Library UPX OS Processor Check PE32 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 4, 2021, 9:30 a.m.	Aug. 4, 2021, 9:44 a.m.

Size	685.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`88c0c0351d382b0f70cc2fc739a69a2d`
SHA256	`08321ed32c6805bb09065e8f43be2696404e74498c3ad3fb67a9c61d1bad13d4`
CRC32	`3CFB7933`
ssdeep	`12288:jyAkEAFDuXxqh+3VMbFE+Q4Fepf92Tbv+hf:OFEgD+qhUaE74Fe6Tbv+t`
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

dol.exe "C:\Users\test22\AppData\Local\Temp\dol.exe"
2212

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.188.154	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2212 stack_dep_bypass: 1 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033f000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00410000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 4, 2021, 9:30 a.m.	process_identifier: 2212 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Aug. 4, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1972 process_handle: 0x000000a8		0	0
NtTerminateProcess Aug. 4, 2021, 9:30 a.m.	status_code: 0x00000000 process_identifier: 1972 process_handle: 0x000000a8	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
FireEye	Generic.mg.88c0c0351d382b0f
Qihoo-360	HEUR/QVM20.1.003F.Malware.Gen
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cyren	W32/Kryptik.EUO.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HLXS
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.Generic.jh
SentinelOne	Static AI - Suspicious PE
Microsoft	Program:Win32/Wacapew.C!ml
Cynet	Malicious (score: 100)
VBA32	BScope.Trojan.Vittalia
BitDefenderTheta	Gen:NN.ZexaF.34050.QuZ@aW0wlsoi
AVG	Win32:PWSX-gen [Trj]
MaxSecure	Trojan.Malware.300983.susgen