popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

avicapn32.exe

Malicious Library Malicious Packer UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 10, 2022, 3:02 p.m. Dec. 10, 2022, 3:04 p.m.
Size 12.1MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 0f6ef96c5e687631ef27f1dcd1afe7b4
SHA256 38381a42975028b181430a80d6009988d0d0cfa42493d3efbbfb72d3abe97648
CRC32 275EDD80
ssdeep 196608:dwT9pIuAU3qr4DZDZWHvmwIHEQWiXkOSsCYSwD8Qtwi85lW:wv6YDWHvm3HznXk+C12t45lW
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
45.159.188.118 Active Moloch

section .n3DK0
section .symtab
section .n3DK1
section .n3DK2
section .n3DK3
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
avicapn32+0xad7b93 @ 0x1627b93
GetEnvironmentVariableA+0x18 VerifyConsoleIoHandle-0xc5 kernel32+0x133b8 @ 0x755c33b8

exception.instruction_r: 90 53 9c bb 6a 02 c1 54 53 66 c1 a4 1c 96 fd 3e
exception.symbol: avicapn32+0xa699bc
exception.instruction: nop
exception.module: avicapn32.exe
exception.exception_code: 0x80000004
exception.offset: 10918332
exception.address: 0x15b99bc
registers.esp: 3536656
registers.edi: 11862016
registers.eax: 4199866596
registers.ebp: 3538680
registers.edx: 42
registers.ebx: 0
registers.esi: 0
registers.ecx: 784896
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://45.159.188.118/bot/online?guid=test22-PC\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
suspicious_features Connection to IP address suspicious_request GET http://45.159.188.118/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
request GET http://45.159.188.118/bot/online?guid=test22-PC\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
request GET http://45.159.188.118/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x007f0000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00000400', u'virtual_address': u'0x0049b000', u'entropy': 7.503046296882152, u'name': u'.idata', u'virtual_size': u'0x000003dc'} entropy 7.50304629688 description A section with a high entropy has been found
section {u'size_of_data': u'0x00016e00', u'virtual_address': u'0x0049c000', u'entropy': 7.99177812695447, u'name': u'.n3DK0', u'virtual_size': u'0x00016d00'} entropy 7.99177812695 description A section with a high entropy has been found
section {u'size_of_data': u'0x00423a00', u'virtual_address': u'0x004b4000', u'entropy': 7.910937346034141, u'name': u'.n3DK1', u'virtual_size': u'0x00423805'} entropy 7.91093734603 description A section with a high entropy has been found
section {u'size_of_data': u'0x00344600', u'virtual_address': u'0x008d9000', u'entropy': 7.897628881549811, u'name': u'.n3DK3', u'virtual_size': u'0x003445f0'} entropy 7.89762888155 description A section with a high entropy has been found
section {u'size_of_data': u'0x00016200', u'virtual_address': u'0x00c37000', u'entropy': 6.967274615989221, u'name': u'.rsrc', u'virtual_size': u'0x000161ce'} entropy 6.96727461599 description A section with a high entropy has been found
entropy 0.6271959937 description Overall entropy of this PE file is high
host 45.159.188.118
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0035fdb9
function_name: wine_get_version
module: ntdll
module_address: 0x76f10000
3221225785 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.64122460
Cylance Unsafe
Sangfor Banker.Win32.Clipbanker.Vs3f
Alibaba Trojan:Win32/ClipBanker.491c4b49
BitDefenderTheta Gen:NN.ZexaF.36106.@V1@aCYhf5hi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of WinGo/ClipBanker.AG
APEX Malicious
Kaspersky Trojan-Banker.Win32.ClipBanker.wkx
BitDefender Trojan.GenericKD.64122460
Avast Win32:TrojanX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Gdhl
Ad-Aware Trojan.GenericKD.64122460
Emsisoft Trojan.GenericKD.64122460 (B)
VIPRE Trojan.GenericKD.64122460
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.moderate.ml.score
FireEye Trojan.GenericKD.64122460
Sophos Mal/Generic-S
Ikarus Trojan.Cometer
GData Win32.Trojan.Agent.CYW14J
Webroot W32.Trojan.Gen
Google Detected
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Ransom.Win32.Banker.sa
ZoneAlarm Trojan-Banker.Win32.ClipBanker.wkx
Microsoft Trojan:Win32/Sabsik.FL.B!ml
McAfee Artemis!0F6EF96C5E68
MAX malware (ai score=80)
Malwarebytes Malware.Heuristic.1003
TrendMicro-HouseCall TROJ_GEN.R002H0DL822
Rising Trojan.ClipBanker!8.5FB (TFE:1:ZMUnES72JpS)
Fortinet W32/PossibleThreat
AVG Win32:TrojanX-gen [Trj]