Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 5, 2023, 8:54 a.m.	April 5, 2023, 8:56 a.m.

Size	301.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`b674dc63057d15e26d5ca8842f4c0605`
SHA256	`05fece5d7f25f6c837f8f7588c8bba70fac41cd0f0be7c84f71f7d2ee1acccd3`
CRC32	`3949AC52`
ssdeep	`6144:/Ya6r25cqnykdlqBzW9pQhb5JUiLZWGkmAXrQVYvo7W:/YZ25ny+Mi9A5JD1WdmAxeW`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 5, 2023, 8:54 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status	Return	Repeated
__exception__ April 5, 2023, 8:54 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0xffd612e0 registers.esp: 4519908 registers.edi: 0 registers.eax: 1968976824 registers.ebp: 4519916 registers.edx: 4292219616 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0

Time & API	Arguments	Status
NtProtectVirtualMemory April 5, 2023, 8:54 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 8:54 a.m.	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01cd0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 5, 2023, 8:54 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ce0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\xlobkc.exe

file	C:\Users\test22\AppData\Local\Temp\xlobkc.exe

file	C:\Users\test22\AppData\Local\Temp\xlobkc.exe

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 called NtSetContextThread to modify thread in remote process 2684
NtSetContextThread April 5, 2023, 8:54 a.m.	registers.eip: 1995571652 registers.esp: 4520008 registers.edi: 0 registers.eax: 725728 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000c8 process_identifier: 2684	1	0	0

Lionic	Trojan.Win32.Agent.tshg
Elastic	malicious (high confidence)
DrWeb	Trojan.Loader.1389
MicroWorld-eScan	Gen:Variant.Babar.161191
FireEye	Generic.mg.b674dc63057d15e2
McAfee	Artemis!B674DC63057D
Malwarebytes	Generic.Malware/Suspicious
VIPRE	Gen:Variant.Babar.161191
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (D)
BitDefenderTheta	Gen:NN.ZexaF.36132.guW@aWwOADei
Cyren	W32/Injector.BLJ.gen!Eldorado
Symantec	Packed.NSISPacker!g14
ESET-NOD32	a variant of Win32/Injector_AGen.UH
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Babar.161191
Avast	Win32:AdwareX-gen [Adw]
Tencent	Win32.Trojan.Agen.Pzfl
Emsisoft	Gen:Variant.Babar.161191 (B)
F-Secure	Heuristic.HEUR/AGEN.1319136
TrendMicro	TROJ_GEN.R002C0DD423
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1337962
Microsoft	Trojan:Win32/NSISInject.BC!MTB
Arcabit	Trojan.Babar.D275A7
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Babar.161191
Google	Detected
AhnLab-V3	Trojan/Win.Agent.C5382526
ALYac	Gen:Variant.Babar.161191
MAX	malware (ai score=87)
Cylance	unsafe
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	TROJ_GEN.R002H0CD423
Rising	Trojan.Nsisinject!8.11178 (TFE:5:ngbcsK7LZQL)
Ikarus	Trojan-Spy.FormBook
Fortinet	W32/Injector.PM!tr
AVG	Win32:AdwareX-gen [Adw]
DeepInstinct	MALICIOUS

lifting.exe