Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

sb.exe

Generic Malware UPX Malicious Library PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 29, 2021, 10:05 a.m.	Sept. 29, 2021, 10:15 a.m.

Size	1.6MB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`e310cb3185d95e3dda42f0230b569d84`
SHA256	`82867648313483db4a6115e0cc2b34c06719ffdb6667e50e625e2dc130adfbca`
CRC32	`3DCDFBFA`
ssdeep	`12288:EjTG/NEiKx8FAuRg7Q7X/CRLL6/mkIHTydNNAF4B0laLpfqFR:EiAuRg7SFWIyFR`
PDB Path	C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb
Yara	UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

sb.exe "C:\Users\test22\AppData\Local\Temp\sb.exe"
2132
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 29, 2021, 10:05 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 29, 2021, 10:05 a.m.	process_identifier: 2132 region_size: 10485760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 29, 2021, 10:05 a.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755cf000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Sept. 29, 2021, 10:14 a.m.	total_number_of_free_bytes: 10931728384 free_bytes_available: 10931728384 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0