popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

6666.exe

NPKI Malicious Library UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 15, 2021, 6:05 p.m. Oct. 15, 2021, 6:05 p.m.
Size 5.3MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 f95a35e8c3f3f57b3f347bd6c8180bee
SHA256 369b61bc5522ec08fe546958192325de94d7f70d4f8c2cee16ec62be03bc54ca
CRC32 199F2263
ssdeep 98304:O/0W35kaNtSgmTCNK0pjI5mEL7GDDfPuuGqrrb+OWOkisXb2Da/dqcx2vCNM/:O8SVNtc0KE0oCGfnuI5Kixy26NM
Yara
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NPKI_Zero - File included NPKI

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section \xea\x99\xb0\xea\x99\xb0\xea\x99
resource name MUI
resource name TYPELIB
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x74d1d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x74d1964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x74d04d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x74d06f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x74d0e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x74d06002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x74d05fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x74d049e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x74d05a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77579a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77598f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77598e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76377a25
wscript+0x2fbd @ 0x4f2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x74d33ef4
registers.esp: 3471200
registers.edi: 0
registers.eax: 33497184
registers.ebp: 3471228
registers.edx: 1
registers.ebx: 0
registers.esi: 10215000
registers.ecx: 1946301820
1 0 0
section {u'size_of_data': u'0x0051c000', u'virtual_address': u'0x0038e000', u'entropy': 7.900114545122001, u'name': u'\\xea\\x99\\xb0\\xea\\x99\\xb0\\xea\\x99', u'virtual_size': u'0x0051bec8'} entropy 7.90011454512 description A section with a high entropy has been found
entropy 0.955529175418 description Overall entropy of this PE file is high
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.37802521
Sangfor Trojan.Win32.Save.a
Cyren W64/Agent.DMU.gen!Eldorado
APEX Malicious
Kaspersky Trojan.Win64.Donut.bvy
Avast FileRepMalware
McAfee-GW-Edition BehavesLike.Win64.Ramnit.tc
FireEye Generic.mg.f95a35e8c3f3f57b
GData Win32.Application.Coinminer.E0LE8Y
Gridinsoft Trojan.Win64.Agent.vb
ZoneAlarm Trojan.Win64.Donut.bvy
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Cynet Malicious (score: 100)
McAfee Artemis!F95A35E8C3F3
MAX malware (ai score=87)
SentinelOne Static AI - Suspicious PE
eGambit Unsafe.AI_Score_98%
Fortinet W32/Malicious_Behavior.SBX
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMalware