popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

goland.exe

MPRESS PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 20, 2023, 9:43 a.m. March 20, 2023, 9:51 a.m.
Size 2.6MB
Type MS-DOS executable, MZ for MS-DOS
MD5 fc6d40512829e36687854cb0118a5a1e
SHA256 58c0d2f945207a56f5baefbb320d7ddbd01089205025de05133db173281e65e2
CRC32 1CBBD29A
ssdeep 49152:6EE4S6KbgMczZ3kXz64kU4r6mN2udLglBA9iHZN9OXOMbK:VEV6Kbmhkj14rzUMnibX
Yara
  • MPRESS_Zero - MPRESS packed file
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .MPRESS1
section .MPRESS2
resource name AVI
resource name None
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb
goland+0x1fcb05 @ 0xcbcb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff
0x83afff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 3274040
registers.rsi: 19906560
registers.r10: 0
registers.rbx: 1992371952
registers.rsp: 3276296
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 3275384
registers.r12: 0
registers.rbp: 0
registers.rdi: 11272559
registers.rax: 3273720
registers.r13: 0
1 0 0
section {u'size_of_data': u'0x00296400', u'virtual_address': u'0x00001000', u'entropy': 7.9999173446624, u'name': u'.MPRESS1', u'virtual_size': u'0x0083c000'} entropy 7.99991734466 description A section with a high entropy has been found
entropy 0.998116051243 description Overall entropy of this PE file is high
Lionic Trojan.Win32.ClipBanker.Z!c
DrWeb Trojan.PWS.Stealer.35447
MicroWorld-eScan Trojan.GenericKD.66007625
FireEye Generic.mg.fc6d40512829e366
Sangfor Trojan.Win32.Agent.Vufq
CrowdStrike win/malicious_confidence_70% (W)
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 WinGo/ClipBanker.AJ
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky Trojan-Banker.Win32.ClipBanker.xnf
BitDefender Trojan.GenericKD.66007625
Avast Win64:BankerX-gen [Trj]
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win64.Generic.vc
Trapmine malicious.high.ml.score
Emsisoft Trojan.GenericKD.66011752 (B)
MAX malware (ai score=80)
Antiy-AVL Trojan[Banker]/Win32.ClipBanker
Gridinsoft Ransom.Win64.Wacatac.sa
Microsoft Trojan:Win32/Casdet!rfn
GData Trojan.GenericKD.66011752
Google Detected
McAfee Artemis!FC6D40512829
Rising Trojan.ClipBanker!8.5FB (CLOUD)
Fortinet W32/ClipBanker.AJ!tr
AVG Win64:BankerX-gen [Trj]