Summary | ZeroBOX

6.ocx

Generic Malware UPX Malicious Library VMProtect PE File PE32
Category Machine Started Completed
FILE s1_win7_x6401 March 17, 2023, 9:42 a.m. March 17, 2023, 10:06 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ef4a2bb28bee4196a1996de11a3bbf8b
SHA256 870a43d88877a0a3e894c444742e29db08aa9c3ee11b8f355eda9c195cd00a4b
CRC32 A8512947
ssdeep 12288:5zU3p48uWBJuktdYlf+TaSW9gzpCIAhgxqfcm/qEwU6nYYl7SRBd0OzW5lho:5zJMjJFaSWOzpNnPuBd0oW5n
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • VMProtect_Zero - VMProtect packed file

Name Response Post-Analysis Lookup
3005.qmananan.com 206.233.132.92
IP Address Status Action
164.124.101.2 Active Moloch
206.233.132.92 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .vmp0
section .vmp1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 57344
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001b9058 size 0x0002b07c
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x000b0000', u'virtual_address': u'0x00109000', u'entropy': 7.918257762449476, u'name': u'.vmp1', u'virtual_size': u'0x000afdee'} entropy 7.91825776245 description A section with a high entropy has been found
entropy 0.8 description Overall entropy of this PE file is high
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb
FireEye Generic.mg.ef4a2bb28bee4196
Cylance unsafe
Sangfor Trojan.Win32.Agent.A02q
K7AntiVirus Trojan ( 7000001c1 )
K7GW Trojan ( 7000001c1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Heur.RP.ED8E8F
BitDefenderTheta AI:Packer.EDAA4FEB1F
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Packed.VMProtect.ABO
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb
Avast Win32:RATX-gen [Trj]
Tencent Win32.Trojan.Crypt.Lajl
Sophos Mal/VMProtBad-A
VIPRE Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb
McAfee-GW-Edition BehavesLike.Win32.Generic.tm
Trapmine malicious.high.ml.score
Emsisoft Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb (B)
Ikarus Trojan.Win32.VMProtect
Google Detected
Avira TR/Crypt.XPACK.Gen
MAX malware (ai score=81)
Microsoft Trojan:Win32/Farfli.DSK!MTB
GData Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Farfli.R562279
Acronis suspicious
VBA32 BScope.Backdoor.Farfli
ALYac Gen:Trojan.Heur.RP.kzZ@bSjE9Ykb
Malwarebytes Malware.AI.1768574864
Rising Trojan.Generic@AI.100 (RDMK:cmRtazoLb3Z0aDToUkpQRn1XQhqL)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Zard.30!tr
AVG Win32:RATX-gen [Trj]
Panda Trj/Genetic.gen
dead_host 192.168.56.101:49191
dead_host 192.168.56.101:49202
dead_host 192.168.56.101:49231
dead_host 192.168.56.101:49165
dead_host 192.168.56.101:49242
dead_host 206.233.132.92:3005
dead_host 192.168.56.101:49237
dead_host 192.168.56.101:49259
dead_host 192.168.56.101:49193
dead_host 192.168.56.101:49254
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49207
dead_host 192.168.56.101:49228
dead_host 192.168.56.101:49247
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49256
dead_host 192.168.56.101:49198
dead_host 192.168.56.101:49209
dead_host 192.168.56.101:49204
dead_host 192.168.56.101:49217
dead_host 192.168.56.101:49244
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49187
dead_host 192.168.56.101:49214
dead_host 192.168.56.101:49227
dead_host 192.168.56.101:49161
dead_host 192.168.56.101:49222
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49233
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49250
dead_host 192.168.56.101:49184
dead_host 192.168.56.101:49203
dead_host 192.168.56.101:49224
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49243
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49238
dead_host 192.168.56.101:49172
dead_host 192.168.56.101:49194
dead_host 192.168.56.101:49255
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49200
dead_host 192.168.56.101:49229
dead_host 192.168.56.101:49240
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49257
dead_host 192.168.56.101:49199
dead_host 192.168.56.101:49252
dead_host 192.168.56.101:49210