popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

2103609787.exe

Admin Tool (Sysinternals etc ...) PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 18, 2021, 9:27 a.m. Oct. 18, 2021, 9:35 a.m.
Size 797.0KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 4058a27cf325710ab5a9020fe95e57f7
SHA256 9f5f9e5ba636fdea5ddece4718c97ac619d0e4f135ae2a1e3da0a8886aa8efc2
CRC32 C94D8696
ssdeep 12288:eVIe9Zi0jqM40MWGjTs1285kXzl96n4m7jS6F3xpUZ6xy4+PfCzObOZQC:eJ/PBexZ8r7NR7hx/+3CzmOZD
Yara
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlImageNtHeader+0xac6 RtlDeleteCriticalSection-0x9cb ntdll+0x33c2a @ 0x77b13c2a
RtlImageNtHeader+0xb6a RtlDeleteCriticalSection-0x927 ntdll+0x33cce @ 0x77b13cce
malloc+0x57 _finite-0xac msvcrt+0x9d45 @ 0x77139d45
CoTaskMemRealloc+0x16b3 CoInitializeEx-0x4c1 ole32+0x404ec @ 0x769104ec
CoTaskMemRealloc+0x1581 CoInitializeEx-0x5f3 ole32+0x403ba @ 0x769103ba
CoFreeUnusedLibrariesEx+0x2c2 CoTaskMemAlloc-0x3129 ole32+0x4b923 @ 0x7691b923
RtlQueryEnvironmentVariable+0x241 RtlQueryEnvironmentVariable_U-0x23 ntdll+0x39930 @ 0x77b19930
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77b1d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77b1d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77b1c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x74b8d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x75671d2a
LoadLibraryExA+0x26 FreeLibrary-0x18 kernelbase+0x11d7a @ 0x75671d7a
LoadLibraryA+0x31 HeapCreate-0x25 kernel32+0x14a08 @ 0x76a44a08
2103609787+0x151f5 @ 0x4151f5
2103609787+0x71de8 @ 0x471de8
2103609787+0x781de @ 0x4781de
2103609787+0x1288 @ 0x401288
2103609787+0x1315 @ 0x401315
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 32 4e 02 89 75 e8 f6 c1 01 0f 84 51 98 02 00 66
exception.symbol: RtlImageNtHeader+0xca9 RtlDeleteCriticalSection-0x7e8 ntdll+0x33e0d
exception.instruction: xor cl, byte ptr [esi + 2]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 212493
exception.address: 0x77b13e0d
registers.esp: 2665392
registers.edi: 6362160
registers.eax: 57839
registers.ebp: 2665428
registers.edx: 6356992
registers.ebx: 6356992
registers.esi: 6824872
registers.ecx: 1
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 200704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x731a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02050000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02110000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0002d400', u'virtual_address': u'0x0007c000', u'entropy': 7.997677633326689, u'name': u'.data', u'virtual_size': u'0x0002d23c'} entropy 7.99767763333 description A section with a high entropy has been found
section {u'size_of_data': u'0x0001ce00', u'virtual_address': u'0x000b1000', u'entropy': 7.35372494333328, u'name': u'.rsrc', u'virtual_size': u'0x0001cd6c'} entropy 7.35372494333 description A section with a high entropy has been found
entropy 0.372487437186 description Overall entropy of this PE file is high
Lionic Trojan.Win32.Reline.i!c
MicroWorld-eScan Gen:Variant.Fragtor.31624
FireEye Generic.mg.4058a27cf325710a
CAT-QuickHeal Trojanpws.Reline
McAfee RDN/Generic PWS.y
Cylance Unsafe
VIPRE MultiPlug (v)
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:Win32/Reline.a89adffb
K7GW Trojan ( 005500d91 )
K7AntiVirus Trojan ( 005500d91 )
Arcabit Trojan.Fragtor.D7B88
BitDefenderTheta Gen:NN.ZexaF.34218.XK0@a0G5nlmi
Cyren W32/Injector.ANB.gen!Eldorado
ESET-NOD32 a variant of Win32/Rozena.AFG
TrendMicro-HouseCall TROJ_GEN.R002C0WJE21
Kaspersky HEUR:Trojan-PSW.Win32.Reline.gen
BitDefender Gen:Variant.Fragtor.31624
APEX Malicious
Tencent Win32.Trojan.Fragtor.Ozsa
Ad-Aware Gen:Variant.Fragtor.31624
Emsisoft Gen:Variant.Fragtor.31624 (B)
Comodo Malware@#356oecm15wexy
F-Secure Trojan.TR/AD.GenSteal.icukk
DrWeb Trojan.PWS.Stealer.31119
McAfee-GW-Edition BehavesLike.Win32.Generic.bh
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Rozena
Jiangmin Trojan.PSW.Reline.jx
Avira TR/AD.GenSteal.icukk
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Gridinsoft Trojan.Win32.ShellCode.vb
Microsoft PWS:MSIL/RedLine.GG!MTB
ZoneAlarm HEUR:Trojan-PSW.Win32.Reline.gen
GData Gen:Variant.Fragtor.31624
Cynet Malicious (score: 100)
VBA32 TrojanPSW.Reline
ALYac Spyware.Infostealer.RedLine
Malwarebytes Trojan.ShellCode
Avast Win32:Trojan-gen
SentinelOne Static AI - Malicious PE
Fortinet W32/Rozena.AFG!tr
AVG Win32:Trojan-gen
Panda Trj/Genetic.gen