Summary | ZeroBOX

file6.exe

MPRESS PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 23, 2021, 10:07 a.m. Sept. 23, 2021, 10:10 a.m.
Size 1.2MB
Type MS-DOS executable, MZ for MS-DOS
MD5 a92ecf7fef1451c1ebd6f7886a9e22d5
SHA256 40f4f7b3233351e4885a1758cd4eb0981dc5361aa7a354a981ed3ed6363f53ae
CRC32 B0B62460
ssdeep 24576:GnrOChfE476dtiw8t+cZHlcBIfej4gRgq16CeRrLs1/cLG4pNdWgWu33Mqz2:GrOC9EEOixtjSBWeMgt6CeRk1/cLG4p3
Yara
  • PE_Header_Zero - PE File Signature
  • MPRESS_Zero - MPRESS packed file
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
telete.in 195.201.225.248
IP Address Status Action
164.124.101.2 Active Moloch
195.201.225.248 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49198 -> 195.201.225.248:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49198
195.201.225.248:443
C=US, O=Let's Encrypt, CN=R3 CN=telecut.in be:a6:3d:e8:93:c3:13:0b:5f:1d:3a:f7:63:57:4c:39:0e:96:df:5e

section .MPRESS1
section .MPRESS2
Time & API Arguments Status Return Repeated

__exception__

stacktrace:
file6+0x27ac15 @ 0xf3ac15
file6+0x27acc4 @ 0xf3acc4

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4128496
registers.edi: 13975552
registers.eax: 4128496
registers.ebp: 4128576
registers.edx: 2130566132
registers.ebx: 1968963558
registers.esi: 2000778283
registers.ecx: 4085972992
1 0 0

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 e9 fc 88 ef ff
exception.symbol: file6+0x29a247
exception.instruction: in eax, dx
exception.module: file6.exe
exception.exception_code: 0xc0000096
exception.offset: 2728519
exception.address: 0xf5a247
registers.esp: 4128616
registers.edi: 1978847
registers.eax: 1750617430
registers.ebp: 13975552
registers.edx: 1398870
registers.ebx: 1968963558
registers.esi: 13
registers.ecx: 20
1 0 0

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d
exception.symbol: file6+0x29a2bb
exception.instruction: in eax, dx
exception.module: file6.exe
exception.exception_code: 0xc0000096
exception.offset: 2728635
exception.address: 0xf5a2bb
registers.esp: 4128616
registers.edi: 1978847
registers.eax: 1447909480
registers.ebp: 13975552
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 13
registers.ecx: 10
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://telete.in/uispolarkins2
request GET https://telete.in/uispolarkins2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7743f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 442368
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 106496
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d47000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d4d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d45000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 442368
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 106496
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d47000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d2d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d45000
process_handle: 0xffffffff
1 0 0
description file6.exe tried to sleep 225 seconds, actually delayed analysis time by 225 seconds
section {u'size_of_data': u'0x00122000', u'virtual_address': u'0x00001000', u'entropy': 7.999857683178258, u'name': u'.MPRESS1', u'virtual_size': u'0x00330000'} entropy 7.99985768318 description A section with a high entropy has been found
entropy 0.939271255061 description Overall entropy of this PE file is high
process system
Time & API Arguments Status Return Repeated

FindWindowA

class_name: OLLYDBG
window_name:
0 0

FindWindowA

class_name: GBDYLLO
window_name:
0 0

FindWindowA

class_name: pediy06
window_name:
0 0

FindWindowA

class_name: FilemonClass
window_name:
0 0

FindWindowA

class_name: FilemonClass
window_name:
0 0

FindWindowA

class_name: File Monitor - Sysinternals: www.sysinternals.com
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Process Monitor - Sysinternals: www.sysinternals.com
window_name:
0 0

FindWindowA

class_name: RegmonClass
window_name:
0 0

FindWindowA

class_name: RegmonClass
window_name:
0 0

FindWindowA

class_name: Registry Monitor - Sysinternals: www.sysinternals.com
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: 18467-41
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: Filemonclass
window_name:
0 0

FindWindowA

class_name: PROCMON_WINDOW_CLASS
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0

FindWindowA

class_name: Regmonclass
window_name:
0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

information_class: 76 (SystemFirmwareTableInformation)
3221225507 0
Time & API Arguments Status Return Repeated

__exception__

stacktrace:

        
      
      
      
exception.instruction_r: ed 64 8f 05 00 00 00 00 83 c4 04 81 fb 68 58 4d
exception.symbol: file6+0x29a2bb
exception.instruction: in eax, dx
exception.module: file6.exe
exception.exception_code: 0xc0000096
exception.offset: 2728635
exception.address: 0xf5a2bb
registers.esp: 4128616
registers.edi: 1978847
registers.eax: 1447909480
registers.ebp: 13975552
registers.edx: 22104
registers.ebx: 2256917605
registers.esi: 13
registers.ecx: 10
1 0 0
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37611569
FireEye Generic.mg.a92ecf7fef1451c1
Cylance Unsafe
K7AntiVirus Trojan ( 0057e7591 )
Alibaba Trojan:Win32/GenKryptik.dc05f90a
K7GW Trojan ( 0057e7591 )
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FKCK
APEX Malicious
Paloalto generic.ml
Kaspersky Trojan-PSW.Win32.Racealer.lzo
BitDefender Trojan.GenericKD.37611569
Avast FileRepMalware
Ad-Aware Trojan.GenericKD.37611569
Emsisoft Trojan.GenericKD.37611569 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.tc
Sophos Mal/Generic-S
Avira TR/AD.StellarStealer.thkkc
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm Trojan-PSW.Win32.Racealer.lzo
GData Win32.Trojan-Stealer.Racealer.RWBGEG
Cynet Malicious (score: 100)
McAfee Artemis!A92ECF7FEF14
MAX malware (ai score=88)
VBA32 BScope.TrojanRansom.Foreign
TrendMicro-HouseCall TROJ_GEN.R002H0DIK21
SentinelOne Static AI - Suspicious PE
Fortinet W32/GenKryptik.FKCK!tr
AVG FileRepMalware