Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 1, 2021, 10:58 a.m.	Nov. 1, 2021, 11:01 a.m.

Size	234.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`781932d5e3cf1b9e902ee2ea8c48f572`
SHA256	`afbae06f0ec7939e039a47b7579a98f269eca1be5625e7343267cf4bbb0d5709`
CRC32	`4509F7A8`
ssdeep	`6144:wBlL/c42BI/9n/DNlCeLwfyYMgKoul0D8nPEAq8G:Ce4X9/bCn0kul0D8nJq8G`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file NSIS_Installer - Null Soft Installer

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 1, 2021, 10:58 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x728d2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 1468 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73797000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\nso6309.tmp\azxcktqvoyc.dll

file	C:\Users\test22\AppData\Local\Temp\nso6309.tmp\azxcktqvoyc.dll

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 1556 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1468 created a remote thread in non-child process 1556
CreateRemoteThread Nov. 1, 2021, 10:58 a.m.	thread_identifier: 0 process_identifier: 1556 function_address: 0x001f80e4 flags: 4 stack_size: 0 parameter: 0x00000000 process_handle: 0x0000021c	1	548	0

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1468 manipulating memory of non-child process 1556
NtAllocateVirtualMemory Nov. 1, 2021, 10:58 a.m.	process_identifier: 1556 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000021c	1	0	0

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37904300
FireEye	Generic.mg.781932d5e3cf1b9e
CAT-QuickHeal	Trojan.Inject
McAfee	RDN/Tnega
Malwarebytes	Trojan.Injector
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 00589a551 )
Alibaba	Trojan:Win32/runner.ali1000123
K7GW	Trojan ( 00589a551 )
Cybereason	malicious.5e3cf1
Arcabit	Trojan.Generic.D2425FAC
Cyren	W32/Injector.AOL.gen!Eldorado
ESET-NOD32	a variant of Win32/Injector.EQKQ
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Inject.gen
BitDefender	Trojan.GenericKD.37904300
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.37904300
Sophos	Generic ML PUA (PUA)
Comodo	Malware@#35npsox2iru3n
TrendMicro	TROJ_FRS.0NA103JV21
McAfee-GW-Edition	BehavesLike.Win32.Vopak.dc
Emsisoft	Trojan.GenericKD.37904300 (B)
Ikarus	Trojan.Win32.Injector
Webroot	W32.Trojan.Tnega
Avira	TR/Injector.gftfc
Microsoft	Trojan:Win32/Tnega!ml
GData	Win32.Trojan-Stealer.FormBook.7ZLZOU
Cynet	Malicious (score: 100)
ALYac	Trojan.GenericKD.37904300
MAX	malware (ai score=100)
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_FRS.0NA103JV21
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.EOLV!tr
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_100% (W)

vbc.exe