Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 4, 2021, 5:11 p.m.	Aug. 4, 2021, 5:14 p.m.

Size	904.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aca0004a4766b519594f96f0e6dd297c`
SHA256	`fb445dfeaec55c1e7096e0fde4d2d48078ad4bdd63220da007581d62f58a6af0`
CRC32	`244C05C4`
ssdeep	`12288:gMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9LeFKH5135Wj:gnsJ39LyjbJkQFMhmC+6GD9EIv35C`
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

virus.exe "C:\Users\test22\AppData\Local\Temp\virus.exe"
768
- ._cache_virus.exe "C:\Users\test22\AppData\Local\Temp\._cache_virus.exe"
  1040

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 4, 2021, 5:11 p.m.	process_identifier: 768 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_ICON

language

LANG_TURKISH

filetype

dBase IV DBT of @.DBF, block length 8192, next free block index 40

sublanguage

SUBLANG_DEFAULT

offset

0x000b39f8

size

0x000010a8

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_RCDATA

language

LANG_TURKISH

filetype

Microsoft Excel 2007+

sublanguage

SUBLANG_DEFAULT

offset

0x000e2bb8

size

0x000047d3

name

RT_GROUP_ICON

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000e7418

size

0x00000014

name

RT_VERSION

language

LANG_TURKISH

filetype

data

sublanguage

SUBLANG_DEFAULT

offset

0x000e742c

size

0x00000304

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\._cache_virus.exe

Creates a suspicious process (1 event)

cmdline

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\test22\AppData\Local\Temp\._cache_virus.exe"

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 4, 2021, 5:11 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\test22\AppData\Local\Temp\._cache_virus.exe"

Attempts to shutdown or restart the system, generally used for bypassing sandboxing (2 events)

Time & API	Arguments	Status	Return	Repeated
ExitWindowsEx Aug. 4, 2021, 5:11 p.m.	reason: 0 flags: 6		0	0
ExitWindowsEx Aug. 4, 2021, 5:11 p.m.	reason: 0 flags: 6	1	1	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver	reg_value	C:\ProgramData\Synaptics\Synaptics.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wininit	reg_value	C:\Users\test22\AppData\Local\Temp\._cache_virus.exe
cmdline	schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\test22\AppData\Local\Temp\._cache_virus.exe"

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\test22\AppData\Local\Temp\._cache_virus.exe"

File has been identified by 63 AntiVirus engines on VirusTotal as malicious (50 out of 63 events)

Bkav	W32.FamVT.GaionLTK.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Dropped:Application.Agent.JUC
CAT-QuickHeal	Sus.Nocivo.E0011
Qihoo-360	HEUR/QVM41.1.06A5.Malware.Gen
McAfee	GenericRXOW-IL!ACA0004A4766
Cylance	Unsafe
Zillya	Trojan.Delf.Win32.76144
Sangfor	Win.Malware.Delf-6899401-0
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dropped:Application.Agent.JUC
K7GW	Trojan ( 000112511 )
K7AntiVirus	Trojan ( 000112511 )
Arcabit	HEUR.VBA.Trojan.d
Cyren	W32/Backdoor.OAZM-5661
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Delf.NBX
APEX	Malicious
ClamAV	Win.Malware.Delf-6899401-0
Kaspersky	Backdoor.Win32.DarkKomet.hqxy
NANO-Antivirus	Trojan.Win32.DarkKomet.fazbwq
ViRobot	Win32.Zorex.A
Avast	Win32:Trojan-gen
Tencent	Virus.Win32.DarkKomet.a
Ad-Aware	Dropped:Application.Agent.JUC
Emsisoft	Dropped:Application.Agent.JUC (B)
Comodo	Virus.Win32.Agent.DE@74b38h
F-Secure	Trojan:W97M/MaliciousMacro.GEN
DrWeb	Trojan.DownLoader22.9658
VIPRE	BehavesLike.Win32.Malware.eah (mx-v)
TrendMicro	Virus.Win32.NAPWHICH.B
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
FireEye	Generic.mg.aca0004a4766b519
Sophos	Troj/DocDl-JJH
Ikarus	Trojan-Downloader.VBA.Agent
Jiangmin	Win32/Synaptics.Gen
Webroot	W32.Malware.gen
Avira	DR/Delphi.Gen
MAX	malware (ai score=77)
Antiy-AVL	Trojan/Generic.ASMalwS.301B962
Gridinsoft	Malware.Win32.Gen.sm!s1
Microsoft	Worm:Win32/AutoRun!atmn
SUPERAntiSpyware	Adware.FileTour/Variant
ZoneAlarm	Backdoor.Win32.DarkKomet.hqxy
GData	Win32.Backdoor.Agent.AXS
Cynet	Malicious (score: 100)
AhnLab-V3	Win32/Zorex.X1799
Acronis	suspicious
VBA32	TScope.Trojan.Delf
ALYac	Dropped:Application.Agent.JUC

virus.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All