popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

can.exe

Generic Malware PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 25, 2021, 9:58 a.m. Aug. 25, 2021, 9:58 a.m.
Size 489.4KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 941ffbcc54a5826dde6e2d35f2fc761d
SHA256 4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
CRC32 0D18557C
ssdeep 12288:+pxLkSqnEa1yg6PbvF1yC62hkh2pf05T70sZ0XNfM:jaZ1yQC5gXtM
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 1374212
registers.edi: 7882320
registers.eax: 1374212
registers.ebp: 1374292
registers.edx: 0
registers.ebx: 7882320
registers.esi: 7882320
registers.ecx: 2
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00e43000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 487424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d52000
process_handle: 0xffffffff
1 0 0
wmi Select * from Win32_ComputerSystem
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00380000
process_handle: 0xffffffff
1 0 0
wmi Select * from Win32_ComputerSystem
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
FireEye Generic.mg.941ffbcc54a5826d
McAfee Artemis!941FFBCC54A5
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_60% (D)
BitDefenderTheta Gen:NN.ZexaF.34104.EuZ@aWrKYJdi
Symantec ML.Attribute.HighConfidence
APEX Malicious
Rising Trojan.Kryptik!1.D84E (CLASSIC)
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Ikarus Trojan.Agent
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
VBA32 BScope.TrojanPSW.MSIL.Agensla
Malwarebytes Spyware.AgentTesla
SentinelOne Static AI - Suspicious PE
Cybereason malicious.4c4723
Process injection Process 2232 called NtSetContextThread to modify thread in remote process 2384
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1376236
registers.edi: 0
registers.eax: 4203924
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000094
process_identifier: 2384
1 0 0