Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 13, 2021, 9:43 a.m.	Aug. 13, 2021, 10:04 a.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fe8953e299b378a06e2345d0ee75f710`
SHA256	`f847f5c6c64a33516e814a4bbc392ab3a8f0dc331bd24be7fa400bd753a7b20a`
CRC32	`8504C21B`
ssdeep	`24576:FusF1d7wswVMxq8NTREEPQp4W+tzFDSZUfTR6eOU:FusFD90MhTREEIp4WQFDSsZn`
Yara	OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

bin.exe.bin "C:\Users\test22\AppData\Local\Temp\bin.exe.bin"
1100

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.67.188.154	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 13, 2021, 9:43 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 13, 2021, 9:43 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x763fd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x763f964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x763e4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x763e6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x763ee825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x763e6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x763e5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x763e49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x763e5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77b19a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77b38f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77b38e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76a47a25 bin+0x2905 @ 0xd72905 bin+0x2b94 @ 0xd72b94 bin+0x2bb8 @ 0xd72bb8 bin+0x1cc4 @ 0xd71cc4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.instruction: call dword ptr [ecx + 0xc] exception.exception_code: 0xc0000005 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.address: 0x76413ef4 registers.esp: 1439144 registers.edi: 0 registers.eax: 12644960 registers.ebp: 1439172 registers.edx: 1 registers.ebx: 0 registers.esi: 4136368 registers.ecx: 1936668372	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 13, 2021, 9:43 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x763fd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x763f964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x763e4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x763e6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x763ee825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x763e6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x763e5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x763e49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x763e5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77b19a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77b38f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77b38e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76a47a25
bin+0x2905 @ 0xd72905
bin+0x2b94 @ 0xd72b94
bin+0x2bb8 @ 0xd72bb8
bin+0x1cc4 @ 0xd71cc4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.instruction: call dword ptr [ecx + 0xc]
exception.exception_code: 0xc0000005
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.address: 0x76413ef4
registers.esp: 1439144
registers.edi: 0
registers.eax: 12644960
registers.ebp: 1439172
registers.edx: 1
registers.ebx: 0
registers.esi: 4136368
registers.ecx: 1936668372

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 13, 2021, 9:43 a.m.	process_identifier: 1100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74073000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (12 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_ICON

language

LANG_CHINESE

filetype

dBase III DBT, version number 0, next free block index 40

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00022f08

size

0x00042028

name

RT_RCDATA

language

LANG_CHINESE

filetype

DOS executable (block device driverG*y\266\260&"!,32-bit sector-,IOCTL-,close media-,control strings-support)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00163948

size

0x0000484c

name

RT_RCDATA

language

LANG_CHINESE

filetype

DOS executable (block device driverG*y\266\260&"!,32-bit sector-,IOCTL-,close media-,control strings-support)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00163948

size

0x0000484c

name

RT_RCDATA

language

LANG_CHINESE

filetype

DOS executable (block device driverG*y\266\260&"!,32-bit sector-,IOCTL-,close media-,control strings-support)

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00163948

size

0x0000484c

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00168194

size

0x00000024

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001681b8

size

0x00000eb4

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00151200', u'virtual_address': u'0x00018000', u'entropy': 7.382224023620372, u'name': u'.rsrc', u'virtual_size': u'0x001511f4'}

entropy

7.38222402362

description

A section with a high entropy has been found

entropy

0.945320715037

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Sangfor	Suspicious.Win32.GenericRXAA-AA.FE8953E299B3
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
Avast	Win32:Malware-gen
McAfee-GW-Edition	Artemis!Trojan
Ikarus	Trojan.Dropper
Avira	TR/Dropper.Gen2
Antiy-AVL	Trojan/Generic.ASMalwS.31E606C
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
Cynet	Malicious (score: 99)
McAfee	GenericRXAA-AA!FE8953E299B3
Malwarebytes	Malware.AI.4272581381
Yandex	Trojan.DR.Agent!+UIBoKY41eQ
AVG	Win32:Malware-gen

bin.exe.bin

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All