popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

installer_2021-09-21_16-31.bmp

Malicious Library AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 7, 2021, 6:11 p.m. Oct. 7, 2021, 6:17 p.m.
Size 190.5KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 6204c8a17955659856af5a12899414f5
SHA256 26e0eb57ab2dc03ff47708030f2d08aa7f0e49be7e186fa5a36d43e3f9a8ae15
CRC32 579CE758
ssdeep 3072:IlWGTR++Ux28ud9U5OSSm9TdJy2kIxAwjtqAk:xQ8SzSSATe2kBwjt
PDB Path C:\payug.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
162.0.210.44 Active Moloch
162.0.214.42 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: SUCCESS!
console_handle: 0x00000007
1 1 0
pdb_path C:\payug.pdb
resource name FIBOLUWAWABUROBI
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055c000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 24576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name FIBOLUWAWABUROBI language LANG_SAAMI filetype ASCII text, with very long lines, with no line terminators sublanguage SUBLANG_ARABIC_LIBYA offset 0x000a085c size 0x00000685
name RT_STRING language LANG_SAAMI filetype data sublanguage SUBLANG_ARABIC_LIBYA offset 0x000b4768 size 0x00000610
name RT_STRING language LANG_SAAMI filetype data sublanguage SUBLANG_ARABIC_LIBYA offset 0x000b4768 size 0x00000610
name RT_STRING language LANG_SAAMI filetype data sublanguage SUBLANG_ARABIC_LIBYA offset 0x000b4768 size 0x00000610
name RT_ACCELERATOR language LANG_SAAMI filetype data sublanguage SUBLANG_ARABIC_LIBYA offset 0x000b4da0 size 0x00000020
name RT_ACCELERATOR language LANG_SAAMI filetype data sublanguage SUBLANG_ARABIC_LIBYA offset 0x000b4da0 size 0x00000020
section {u'size_of_data': u'0x00013a00', u'virtual_address': u'0x00001000', u'entropy': 7.252199701872107, u'name': u'.text', u'virtual_size': u'0x000139dc'} entropy 7.25219970187 description A section with a high entropy has been found
entropy 0.414248021108 description Overall entropy of this PE file is high
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 162.0.210.44
host 162.0.214.42
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2240
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000088
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2240
process_handle: 0x00000088
1 1 0
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 2240
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000084
process_identifier: 2240
1 0 0
Process injection Process 2648 resumed a thread in remote process 2240
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 1
process_identifier: 2240
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2244
thread_handle: 0x00000084
process_identifier: 2240
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\installer_2021-09-21_16-31.bmp
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\installer_2021-09-21_16-31.bmp"
filepath_r: C:\Users\test22\AppData\Local\Temp\installer_2021-09-21_16-31.bmp
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000088
1 1 0

NtGetContextThread

 thread_handle: 0x00000084
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2240
process_handle: 0x00000088
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2240
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000088
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2240
process_handle: 0x00000088
1 1 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000084
process_identifier: 2240
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 1
process_identifier: 2240
1 0 0