popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

downloadmanager.exe

Emotet Malicious Library Malicious Packer AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 4, 2021, 10:10 a.m. Oct. 4, 2021, 10:12 a.m.
Size 901.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5 17fe15c3f5f28d07fa885bf7099163ef
SHA256 f71af69d5802a003452e0401c936c344911f215d6d8a9f34359b9d1cdc758542
CRC32 23A505A8
ssdeep 24576:t20gPgFK2MQxAVBbIcXQzkUWSQshQwxB7yCE:EKpxAjIEsrhxBQ
PDB Path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: 'Generetik' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Waiting for 7
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: RAR 5.50 beta 1 x86 Copyright (c) 1993-2017 Alexander Roshal 12 Apr 2017
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Trial version Type 'rar -?' for help
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Extracting from dfshg.rar
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Extracting 88e.vbs
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer:  OK
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Extracting 77tor.bat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer:  OK
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Extracting SISZEKO.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer:  OK
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: All OK
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Waiting for 6
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Waiting for 8
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Waiting for 2
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
pdb_path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733b3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73281000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ec1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73791000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75491000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73121000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74be1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73281000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ec1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73721000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ec1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x771e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73681000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73511000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73661000
process_handle: 0xffffffff
1 0 0
file C:\jdksfhoisg\397598.vbs
file C:\jdksfhoisg\77tor.bat
file C:\jdksfhoisg\88e.vbs
file C:\jdksfhoisg\zcomue.com
file C:\jdksfhoisg\SISZEKO.exe
file C:\jdksfhoisg\vut1.bat
file C:\jdksfhoisg\397598.vbs
file C:\jdksfhoisg\zcomue.com
file C:\jdksfhoisg\88e.vbs
file C:\jdksfhoisg\77tor.bat
file C:\jdksfhoisg\SISZEKO.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: vut1.bat
parameters:
filepath: vut1.bat
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\jdksfhoisg\77tor.bat
parameters:
filepath: C:\jdksfhoisg\77tor.bat
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline attrib +s +h "C:\jdksfhoisg"
Bkav W32.AIDetect.malware2
FireEye Generic.mg.17fe15c3f5f28d07
Cybereason malicious.263a67
Symantec Trojan.Gen.2
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Ikarus Trojan.Inject
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
McAfee Artemis!17FE15C3F5F2
Cylance Unsafe
CrowdStrike win/malicious_confidence_70% (W)
parent_process wscript.exe martian_process C:\jdksfhoisg\77tor.bat
parent_process wscript.exe martian_process "C:\jdksfhoisg\77tor.bat"
parent_process wscript.exe martian_process vut1.bat
parent_process wscript.exe martian_process "C:\jdksfhoisg\vut1.bat"
Process injection Process 1136 resumed a thread in remote process 2236
Process injection Process 1644 resumed a thread in remote process 2292
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002e0
suspend_count: 1
process_identifier: 2236
1 0 0

NtResumeThread

 thread_handle: 0x00000278
suspend_count: 1
process_identifier: 2292
1 0 0
file C:\Windows\SysWOW64\wscript.exe