popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

clr.exe

NPKI Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 16, 2021, 5:05 p.m. Aug. 16, 2021, 5:07 p.m.
Size 5.9MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 508167b2c34732f05f11f2531b2498a2
SHA256 f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f
CRC32 A1AF54DA
ssdeep 49152:P8L4dlrb/TkvO90dL3BmAFd4A64nsfJ9uB5q9FbvbhZdGDSj0uBTfA6VzHv3+6kP:P80Du3mAQQQQQQQQQQQQQ
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NPKI_Zero - File included NPKI

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2496
region_size: 720896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000028670000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2496
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000286a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2496
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000028720000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2496
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000028760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
Elastic malicious (high confidence)
ESET-NOD32 a variant of WinGo/GoCLR.B
APEX Malicious
ClamAV Win.Malware.Bulz-9847817-0
Kaspersky VHO:Trojan-Dropper.Win32.Agent.gen
Jiangmin Trojan.Generic.gzxxe
eGambit Unsafe.AI_Score_100%
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Agent.C4588779
Malwarebytes Malware.AI.4021206680
Rising HackTool.GoCLR!1.D71D (CLASSIC)
CrowdStrike win/malicious_confidence_80% (D)
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007feff1a7a50
function_name: wine_get_version
module: ntdll
module_address: 0x0000000077900000
-1073741511 0