Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 14, 2023, 10:33 a.m.	March 14, 2023, 10:35 a.m.

Size	179.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e179b14f26972c159c58519496978a07`
SHA256	`f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5`
CRC32	`35F9E379`
ssdeep	`3072:bwevYpKTDMDUDfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8m6u3wB4HzlrzPOefxoEBK7`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) PE_Header_Zero - PE File Signature

stlr.exe "C:\Users\test22\AppData\Local\Temp\stlr.exe"
1000

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 14, 2023, 10:34 a.m.			0	0
IsDebuggerPresent March 14, 2023, 10:34 a.m.			0	0
IsDebuggerPresent March 14, 2023, 10:34 a.m.			0	0

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ March 14, 2023, 10:34 a.m.	stacktrace: 0x238645 0x2373fd RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 38074584 registers.edi: 14971417 registers.eax: 38074584 registers.ebp: 38074664 registers.edx: 2130553844 registers.ebx: 1411408 registers.esi: 1971292105 registers.ecx: 753664000	1
__exception__ March 14, 2023, 10:34 a.m.	stacktrace: 0x2373fd RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 51 ff 15 3c 13 24 00 a1 94 30 24 00 c3 8b 44 24 exception.instruction: push ecx exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x237e00 registers.esp: 38074696 registers.edi: 38074756 registers.eax: 0 registers.ebp: 38074812 registers.edx: 2130553844 registers.ebx: 1411408 registers.esi: 2325983 registers.ecx: 6534816	1
__exception__ March 14, 2023, 10:34 a.m.	stacktrace: 0x2373fd RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: cc 50 ff 15 3c 13 24 00 a1 94 30 24 00 c3 8b 44 exception.instruction: int3 exception.exception_code: 0x80000003 exception.symbol: exception.address: 0x237e42 registers.esp: 38074696 registers.edi: 38074760 registers.eax: 6534816 registers.ebp: 38074812 registers.edx: 2130553844 registers.ebx: 1411408 registers.esi: 2326059 registers.ecx: 753664000	1
__exception__ March 14, 2023, 10:34 a.m.	stacktrace: 0x237500 0x2373fd RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 15 3c 13 24 00 a1 94 30 24 00 c9 c3 8b 44 24 exception.instruction: call dword ptr [0x24133c] exception.exception_code: 0x80000004 exception.symbol: exception.address: 0x238689 registers.esp: 38074684 registers.edi: 38074764 registers.eax: 770 registers.ebp: 38074692 registers.edx: 2130553844 registers.ebx: 1411408 registers.esi: 2328157 registers.ecx: 6534816	1

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 14, 2023, 10:33 a.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 102400 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 14, 2023, 10:33 a.m.	process_identifier: 1000 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 14, 2023, 10:33 a.m.	process_identifier: 1000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778e6000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 14, 2023, 10:33 a.m.	process_identifier: 1000 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 14, 2023, 10:34 a.m.	process_identifier: 1000 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 14, 2023, 10:34 a.m.	process_identifier: 1000 region_size: 16777216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 2109440 (MEM_COMMIT\|MEM_RESERVE\|MEM_WRITE_WATCH) process_handle: 0xffffffff	1

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle March 14, 2023, 10:34 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle March 14, 2023, 10:34 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.MushrwuNocC.Trojan
Lionic	Trojan.Win32.Strab.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.448594
CAT-QuickHeal	Trojan.Rhadamanthys
McAfee	Artemis!E179B14F2697
Malwarebytes	Spyware.PasswordStealer
Zillya	Trojan.Strab.Win32.879
Sangfor	Trojan.Win32.Strab.V95y
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Strab.4c133c38
K7GW	Trojan ( 0059f0951 )
K7AntiVirus	Trojan ( 0059f0951 )
Arcabit	Trojan.Zusy.D6D852
BitDefenderTheta	Gen:NN.ZexaF.36344.lqW@a4tcFNk
VirIT	Trojan.Win32.Genus.NYZ
Cyren	W32/Agent.FRQ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Agent.AFES
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.Win32.Strab.gen
BitDefender	Gen:Variant.Zusy.448594
NANO-Antivirus	Trojan.Win32.Dwn.juuhsf
Avast	Win32:TrojanX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bddcf2
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.DownLoader45.41138
VIPRE	Gen:Variant.Zusy.448594
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXDCMZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.ch
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e179b14f26972c15
Emsisoft	Gen:Variant.Zusy.448594 (B)
Jiangmin	Trojan.Strab.boc
Avira	TR/Agent.xnctp
MAX	malware (ai score=84)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Malware.Win32.Gen.bot
Microsoft	Trojan:Win32/Rhadamanthys.A!MTB
ViRobot	Trojan.Win.Z.Zusy.183808.P
GData	Gen:Variant.Zusy.448594
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5378330
VBA32	Trojan.Khalesi
ALYac	Gen:Variant.Zusy.448594
TACHYON	Trojan/W32.Strab.183808.C
Cylance	unsafe
TrendMicro-HouseCall	TrojanSpy.Win32.RHADAMANTHYS.YXDCMZ

stlr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All