Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 25, 2022, 10:17 a.m.	March 25, 2022, 10:19 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`156b4f5c31201bc945b2b3ceb95e0c5a`
SHA256	`b9d0e6a73f63d4f9e77b7640934ffd3268454052fbf942ed9f9779b45c55430f`
CRC32	`CB0B2E6A`
ssdeep	`49152:RqzkN5m+wboqfrpBRmTnbhT4CwEGRyz1ZzSV9ojG/01Nln4i:RqwN5mxwTbhc9RyzfuMjGMjln4i`
Yara	VMProtect_Zero - VMProtect packed file Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

듐乖섬.exe "C:\Users\test22\AppData\Local\Temp\듐乖섬.exe"
2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.vmp0
section	.vmp1
section	.vmp2

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ March 25, 2022, 10:17 a.m.	stacktrace: exception.instruction_r: ed e8 8d 7e ef ff 1e 70 3d 43 7b c9 f0 d3 90 23 exception.instruction: in eax, dx exception.module: 듐乖섬.exe exception.exception_code: 0xc0000096 exception.offset: 5269296 exception.address: 0x906730 registers.esp: 1636180 registers.edi: 1638204 registers.eax: 1447909480 registers.ebp: 1638240 registers.edx: 22104 registers.ebx: 0 registers.esi: 1638228 registers.ecx: 10	1
__exception__ March 25, 2022, 10:17 a.m.	stacktrace: exception.instruction_r: 90 9c e8 6d be ff ff e6 c4 09 72 6b c9 24 17 a8 exception.instruction: nop exception.module: 듐乖섬.exe exception.exception_code: 0x80000004 exception.offset: 4232817 exception.address: 0x809671 registers.esp: 1636180 registers.edi: 1638204 registers.eax: 1362419990 registers.ebp: 1638240 registers.edx: 42 registers.ebx: 0 registers.esi: 1638228 registers.ecx: 10	1
__exception__ March 25, 2022, 10:17 a.m.	stacktrace: exception.instruction_r: 90 e9 72 99 0b 00 00 00 4c 72 65 73 75 6c 74 46 exception.instruction: nop exception.module: 듐乖섬.exe exception.exception_code: 0x80000004 exception.offset: 3424359 exception.address: 0x744067 registers.esp: 1636180 registers.edi: 1638204 registers.eax: 591594 registers.ebp: 1638240 registers.edx: 395049983 registers.ebx: 16910336 registers.esi: 1638228 registers.ecx: 3738837507	1
__exception__ March 25, 2022, 10:17 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: 8a 10 32 d1 02 d1 88 10 40 4e 75 f4 5e 5d c2 0c exception.instruction: mov dl, byte ptr [eax] exception.module: 듐乖섬.exe exception.exception_code: 0xc0000005 exception.offset: 4416 exception.address: 0x401140 registers.esp: 1638036 registers.edi: 0 registers.eax: 0 registers.ebp: 1638040 registers.edx: 4294967295 registers.ebx: 2130567168 registers.esi: 4294967295 registers.ecx: 242	1

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 25, 2022, 10:17 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1359872 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 25, 2022, 10:17 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x779c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 25, 2022, 10:17 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75760000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

Foreign language identified in PE resource (28 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0052034c

size

0x00000128

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205a8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205a8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205a8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205a8

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205a8

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005205cc

size

0x000002a8

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x001fac00', u'virtual_address': u'0x00313000', u'entropy': 7.954765288049253, u'name': u'.vmp2', u'virtual_size': u'0x001fab10'}

entropy

7.95476528805

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00012c00', u'virtual_address': u'0x0050e000', u'entropy': 6.95585398791023, u'name': u'.rsrc', u'virtual_size': u'0x00012ad3'}

entropy

6.95585398791

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

The executable is likely packed with VMProtect (3 events)

section	.vmp0	description	Section name indicates VMProtect
section	.vmp1	description	Section name indicates VMProtect
section	.vmp2	description	Section name indicates VMProtect

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Bkav	W32.AIDetect.malware2
Lionic	Trojan.Win32.Generic.lKna
McAfee	Artemis!156B4F5C3120
Malwarebytes	Malware.AI.4099111480
Cybereason	malicious.86441e
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.Agentb.a
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.156b4f5c31201bc9
Sophos	Mal/VMProtBad-A
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan/Agent.ecmu
GData	Win32.Trojan.Kryptik.HK@susp
BitDefenderTheta	Gen:NN.ZexaF.34294.eI2@aKwA0Aij
Ikarus	Trojan.Win32.Crypt
Fortinet	W32/VMProtBad.A
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 25, 2022, 10:17 a.m.	stacktrace: exception.instruction_r: ed e8 8d 7e ef ff 1e 70 3d 43 7b c9 f0 d3 90 23 exception.instruction: in eax, dx exception.module: 듐乖섬.exe exception.exception_code: 0xc0000096 exception.offset: 5269296 exception.address: 0x906730 registers.esp: 1636180 registers.edi: 1638204 registers.eax: 1447909480 registers.ebp: 1638240 registers.edx: 22104 registers.ebx: 0 registers.esi: 1638228 registers.ecx: 10	1	0	0

듐乖섬.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All