Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 5, 2021, 9:52 a.m.	Oct. 5, 2021, 10:01 a.m.

Size	417.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4589e8f916643c5d21b413d5ddaa0105`
SHA256	`9b41bf8f85747590a77dcb1f08634cc250eec349b6b3f25d640fb4cf0c69713f`
CRC32	`E2583484`
ssdeep	`3072:pwAM4NjvB4vMdq5hs5Uz/nVu4wLT+4aHBgMwYX7aVKiEgjeSTsxCatgfVapBXt:pc4vq5hs5I/nc4w0oVKiEgKaratgMZ`
Yara	Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

BS.exe "C:\Users\test22\AppData\Local\Temp\BS.exe"
2024

Name	Response	Post-Analysis Lookup
movie.metaservices.microsoft.com	CNAME movie.metaservices.windowsmedia.com.akadns.net A 65.55.186.115	65.55.186.113

IP Address	Status	Action
104.75.21.121	Active	Moloch
164.124.101.2	Active	Moloch
65.55.186.115	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 5, 2021, 9:53 a.m.	stacktrace: gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75580d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75580d4d ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a ProcCallEngine+0x5dfd __vbaUdtVar-0xab7 msvbvm60+0x102e5a @ 0x72a42e5a ProcCallEngine+0x5e3e __vbaUdtVar-0xa76 msvbvm60+0x102e9b @ 0x72a42e9b ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 bs+0x127a @ 0x40127a RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 4e 34 89 4f 04 89 f9 83 c1 48 89 4f 0c 83 c1 exception.instruction: mov ecx, dword ptr [esi + 0x34] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5ab1f0 registers.esp: 1636324 registers.edi: 31129600 registers.eax: 2008021680 registers.ebp: 1636324 registers.edx: 2130566132 registers.ebx: 5944457 registers.esi: 3006361215 registers.ecx: 6057024	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 5, 2021, 9:53 a.m.

stacktrace:

gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755762fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75576d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75580d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75580d4d
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x5dfd __vbaUdtVar-0xab7 msvbvm60+0x102e5a @ 0x72a42e5a
ProcCallEngine+0x5e3e __vbaUdtVar-0xa76 msvbvm60+0x102e9b @ 0x72a42e9b
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
bs+0x127a @ 0x40127a
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 4e 34 89 4f 04 89 f9 83 c1 48 89 4f 0c 83 c1
exception.instruction: mov ecx, dword ptr [esi + 0x34]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5ab1f0
registers.esp: 1636324
registers.edi: 31129600
registers.eax: 2008021680
registers.ebp: 1636324
registers.edx: 2130566132
registers.ebx: 5944457
registers.esi: 3006361215
registers.ecx: 6057024

Performs some HTTP requests (1 event)

request

GET http://go.microsoft.com/fwlink?linkid=30219&locale=ko-KR&clientType=VISTA_GAMES&clientVersion=6.1.2

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74662000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\jk\jp.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\jk\jp.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 5, 2021, 9:53 a.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x004c0000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

104.75.21.121

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\jm

reg_value

C:\Users\test22\AppData\Roaming\jk\jp.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

65.55.186.115:80

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.MSIL.Crysan.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Bulz.780925
Sangfor	Backdoor.MSIL.Crysan.ky
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Bulz.DBEA7D
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Backdoor.MSIL.Crysan.cto
BitDefender	Gen:Variant.Bulz.780925
MicroWorld-eScan	Gen:Variant.Bulz.780925
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Bulz.780925
Emsisoft	Gen:Variant.Bulz.780925 (B)
Comodo	TrojWare.Win32.UMal.obnrr@0
DrWeb	Trojan.KillProc2.16723
McAfee-GW-Edition	BehavesLike.Win32.Generic.gm
FireEye	Generic.mg.4589e8f916643c5d
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Avira	TR/Dropper.Gen
Kingsoft	Win32.Troj.Generic_a.a.(kcloud)
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Gen:Variant.Bulz.780925
AhnLab-V3	Backdoor/Win32.NetWiredRC.C3631196
McAfee	Artemis!4589E8F91664
MAX	malware (ai score=100)
VBA32	Malware-Cryptor.VB.gen.1
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H07J421
SentinelOne	Static AI - Malicious PE
BitDefenderTheta	Gen:NN.ZevbaF.34170.Am3@aq@kpuei
AVG	FileRepMalware

BS.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All