popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Ghpwvaau.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 24, 2022, 9:17 a.m. May 24, 2022, 9:38 a.m.
Size 787.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f90932c0feeed304b65bf0cb9ee79424
SHA256 50f8e65f0b4356d376130eaa14d12a563f8c4cb80a9d6a06cfd14e66785352ab
CRC32 638AB751
ssdeep 12288:zWijNHVkFTo0x5H1ZWJZPcyhiX5qPdRJgb4RmIggE6gPgBuLq:zWixYT35H1485XITJgcRSv4ML
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
ghpwvaau+0x87f70 @ 0x487f70
ghpwvaau+0x425b @ 0x40425b
ghpwvaau+0x42c3 @ 0x4042c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: f3 a5 89 c1 83 e1 03 f3 a4 5f 5e c3 8d 74 31 fc
exception.symbol: ghpwvaau+0x2d2b
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: Ghpwvaau.exe
exception.exception_code: 0xc0000005
exception.offset: 11563
exception.address: 0x402d2b
registers.esp: 1637864
registers.edi: 0
registers.eax: 80384
registers.ebp: 1638088
registers.edx: 0
registers.ebx: 0
registers.esi: 31487176
registers.ecx: 20096
1 0 0

__exception__

 stacktrace: 
ghpwvaau+0x42c3 @ 0x4042c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 8b 08 ff 51 fc c3 53 56 57 89 c3 89 d7 ab 8b 4b
exception.symbol: ghpwvaau+0x377e
exception.instruction: mov ecx, dword ptr [eax]
exception.module: Ghpwvaau.exe
exception.exception_code: 0xc0000005
exception.offset: 14206
exception.address: 0x40377e
registers.esp: 1636048
registers.edi: 1638212
registers.eax: 31581656
registers.ebp: 1638244
registers.edx: 1635841
registers.ebx: 4211310
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x73ef76de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x755efb9e
New_user32_MessageBoxTimeoutA@24+0x5e New_user32_MessageBoxTimeoutW@24-0x159 @ 0x73ef7527
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x755efcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x755efd36
ghpwvaau+0x443d @ 0x40443d
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73ef482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143
ghpwvaau+0x42c3 @ 0x4042c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73ca3f46
registers.esp: 1632768
registers.edi: 0
registers.eax: 1942634310
registers.ebp: 1632808
registers.edx: 0
registers.ebx: 0
registers.esi: 1942634310
registers.ecx: 7998824
1 0 0

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f
New_user32_MessageBoxTimeoutW@24+0x5e New_user32_RegisterHotKey@16-0x159 @ 0x73ef76de
MessageBoxTimeoutA+0x76 MessageBoxIndirectA-0x33 user32+0x6fb9e @ 0x755efb9e
New_user32_MessageBoxTimeoutA@24+0x5e New_user32_MessageBoxTimeoutW@24-0x159 @ 0x73ef7527
MessageBoxExA+0x1b MessageBoxExW-0x9 user32+0x6fcf1 @ 0x755efcf1
MessageBoxA+0x18 MessageBoxW-0x9 user32+0x6fd36 @ 0x755efd36
ghpwvaau+0x443d @ 0x40443d
RtlDosSearchPath_Ustr+0xada RtlCaptureContext-0x72 ntdll+0x46ab9 @ 0x772f6ab9
RtlDosSearchPath_Ustr+0xaac RtlCaptureContext-0xa0 ntdll+0x46a8b @ 0x772f6a8b
New_ntdll_RtlDispatchException@8+0xf6 New_ntdll_RtlRemoveVectoredContinueHandler@4-0x23 @ 0x73ef482b
KiUserExceptionDispatcher+0xf KiRaiseUserExceptionDispatcher-0x41 ntdll+0x10143 @ 0x772c0143
ghpwvaau+0x42c3 @ 0x4042c3
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73ca3f46
registers.esp: 1632768
registers.edi: 0
registers.eax: 1942634310
registers.ebp: 1632808
registers.edx: 0
registers.ebx: 0
registers.esi: 1942634310
registers.ecx: 7998824
1 0 0

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x754ad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x754a964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75494d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75496f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7549e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75496002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75495fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x754949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75495a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x772e9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77308f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77308e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76877a25
ghpwvaau+0x4514 @ 0x404514

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x754c3ef4
registers.esp: 1633596
registers.edi: 0
registers.eax: 6418448
registers.ebp: 1633624
registers.edx: 1
registers.ebx: 0
registers.esi: 2954000
registers.ecx: 1942500732
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2424
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0002f200', u'virtual_address': u'0x0009b000', u'entropy': 6.894006374858349, u'name': u'.rsrc', u'virtual_size': u'0x0002f200'} entropy 6.89400637486 description A section with a high entropy has been found
entropy 0.239821882952 description Overall entropy of this PE file is high
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.39684494
FireEye Generic.mg.f90932c0feeed304
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 005829421 )
Alibaba Trojan:Win32/Fareit.ccf6c847
K7GW Trojan-Downloader ( 005829421 )
Cybereason malicious.0fdea3
Arcabit Trojan.Generic.D25D898E
Cyren W32/BestaFera.D.gen!Eldorado
Symantec Scr.MalPbs!gen1
Elastic malicious (high confidence)
ESET-NOD32 Win32/TrojanDownloader.Delf.DIB
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.39684494
Avast Win32:InjectorX-gen [Trj]
Emsisoft Trojan.GenericKD.39684494 (B)
TrendMicro TROJ_GEN.R002C0PEN22
McAfee-GW-Edition Fareit-FDBI!F90932C0FEEE
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
MAX malware (ai score=86)
Antiy-AVL Trojan/Win32.SGeneric
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/DelfInject.BBP!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.GenericKD.39684494
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Phonzy.C5140995
McAfee Fareit-FDBI!F90932C0FEEE
VBA32 BScope.Trojan.Hesv
Malwarebytes Malware.AI.814296602
TrendMicro-HouseCall TROJ_GEN.R002C0PEN22
Rising Trojan.Generic@AI.83 (RDML:EXHzYOrc48UVsB5Oz+bvOQ)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.EQPQ!tr
AVG Win32:InjectorX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)