popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

LS.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 15, 2021, 9:37 a.m. Oct. 15, 2021, 9:41 a.m.
Size 569.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 50bc873b8e08fdc5832350f377a1b5a7
SHA256 2ac9fe88102fbe8cc50d40228e302e2f37fcc006009697609eb5d55aab5c940e
CRC32 EEB23B4F
ssdeep 6144:PC4w8juap56y9dg4sIo9ZCf6YRZDYooV3FtlyPG4wYeVKiEgQaratgMZ:Knapvg4sz9dYRZsx1tvpEVar3MZ
Yara
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x755c0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x755c0d4d
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
ls+0x284b8 @ 0x4284b8
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
ls+0x127a @ 0x40127a
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 4e 34 89 4f 04 89 f9 83 c1 48 89 4f 0c 83 c1
exception.instruction: mov ecx, dword ptr [esi + 0x34]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x51dc20
registers.esp: 1635868
registers.edi: 6619136
registers.eax: 2000419504
registers.ebp: 1635868
registers.edx: 2130566132
registers.ebx: 5365433
registers.esi: 3006114407
registers.ecx: 5810216
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2972
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\gh\hn.exe
file C:\Users\test22\AppData\Roaming\gh\hn.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2972
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003e0000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00057000', u'virtual_address': u'0x00001000', u'entropy': 6.8419307931716595, u'name': u'.text', u'virtual_size': u'0x00056f54'} entropy 6.84193079317 description A section with a high entropy has been found
entropy 0.669230769231 description Overall entropy of this PE file is high
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mk reg_value C:\Users\test22\AppData\Roaming\gh\hn.exe
Elastic malicious (high confidence)
ClamAV Win.Trojan.Bulz-9900370-0
ALYac Gen:Variant.Strictor.264206
Malwarebytes Trojan.Injector
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 0058890e1 )
K7GW Trojan ( 0058890e1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Strictor.D4080E
Cyren W32/Fareit.LC.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.FLQV
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:Backdoor.Win32.Androm
BitDefender Gen:Variant.Strictor.264206
MicroWorld-eScan Gen:Variant.Strictor.264206
Avast Win32:DropperX-gen [Drp]
Ad-Aware Gen:Variant.Strictor.264206
Emsisoft Trojan.Crypt (A)
F-Secure Trojan.TR/Dropper.Gen
DrWeb Trojan.KillProc2.16754
McAfee-GW-Edition BehavesLike.Win32.Generic.hh
FireEye Generic.mg.50bc873b8e08fdc5
Jiangmin Backdoor.Androm.bbwi
Avira TR/Dropper.Gen
Antiy-AVL Trojan/Generic.ASMalwS.34B2070
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Gen:Variant.Strictor.264206
AhnLab-V3 Backdoor/Win32.NetWiredRC.C3631196
McAfee Artemis!50BC873B8E08
MAX malware (ai score=86)
VBA32 Malware-Cryptor.VB.gen.1
Cylance Unsafe
Yandex Backdoor.Androm!yDsXbO2vUQ0
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_54%
BitDefenderTheta Gen:NN.ZevbaF.34218.Jm3@a8CjcIai
AVG Win32:DropperX-gen [Drp]
MaxSecure Trojan.Malware.300983.susgen