Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 6, 2023, 9:53 a.m.	April 6, 2023, 9:56 a.m.

Size	2.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fe87505c13a6a986885193cb177d4607`
SHA256	`a7f37926eb21924303d17007e8dd4d87c0bb428d1663a86d24d1ca38442ef845`
CRC32	`7B204EB3`
ssdeep	`49152:hlkWk5cS7a+9XYaQHZehc4mTYJ78V9gyBn4cbfmP/SA8N:3ajJ4Z942KQV9hp4UfmP/SA8`
Yara	UPX_Zero - UPX packed file IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature

Payment_Copy.exe "C:\Users\test22\AppData\Local\Temp\Payment_Copy.exe"
3032
- cmd.exe cmd.exe /c C:\Users\test22\AppData\Local\Temp\
  932

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 6, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 6, 2023, 9:53 a.m.	buffer: 'C:\Users\test22\AppData\Local\Temp\' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2023, 9:53 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	CUSTOM
resource name	SHA

One or more processes crashed (12 events)

Time & API	Arguments	Status
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635416 registers.edi: 3455976 registers.eax: 1635416 registers.ebp: 1635496 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 3455976 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635360 registers.edi: 3455976 registers.eax: 1635360 registers.ebp: 1635440 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635376 registers.edi: 3455976 registers.eax: 1635376 registers.ebp: 1635456 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635060 registers.edi: 1635248 registers.eax: 1635060 registers.ebp: 1635140 registers.edx: 0 registers.ebx: 3455976 registers.esi: 1635248 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634800 registers.edi: 3455976 registers.eax: 1634800 registers.ebp: 1634880 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635012 registers.edi: 3455976 registers.eax: 1635012 registers.ebp: 1635092 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1634800 registers.edi: 3455976 registers.eax: 1634800 registers.ebp: 1634880 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635272 registers.edi: 3455976 registers.eax: 1635272 registers.ebp: 1635352 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635384 registers.edi: 3455976 registers.eax: 1635384 registers.ebp: 1635464 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44 ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 payment_copy+0x822c @ 0x40822c IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 DLLGetDocumentation+0x25b2 EbGetVBAObject-0xb8f msvbvm60+0xc88e0 @ 0x72a088e0 DLLGetDocumentation+0x2619 EbGetVBAObject-0xb28 msvbvm60+0xc8947 @ 0x72a08947 IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 payment_copy+0x4a70 @ 0x404a70 IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 payment_copy+0x1272 @ 0x401272 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1635424 registers.edi: 3455856 registers.eax: 1635424 registers.ebp: 1635504 registers.edx: 0 registers.ebx: 6452176 registers.esi: 1636004 registers.ecx: 2	1
__exception__ April 6, 2023, 9:53 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1636788 registers.edi: 3455976 registers.eax: 1636788 registers.ebp: 1636868 registers.edx: 0 registers.ebx: 3455976 registers.esi: 3455976 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 6, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74322000 process_handle: 0xffffffff	1	0	0

Creates a suspicious process (1 event)

cmdline

cmd.exe /c C:\Users\test22\AppData\Local\Temp\

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 6, 2023, 9:53 a.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02570000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00229000', u'virtual_address': u'0x00001000', u'entropy': 7.631944146059729, u'name': u'.text', u'virtual_size': u'0x002289a0'}

entropy

7.63194414606

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00042000', u'virtual_address': u'0x0022f000', u'entropy': 7.98475470082878, u'name': u'.rsrc', u'virtual_size': u'0x0004192c'}

entropy

7.98475470083

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

FireEye	Generic.mg.fe87505c13a6a986
Malwarebytes	KeyLogger.Spyware.Stealer.DDS
Sangfor	Suspicious.Win32.Save.vb
CrowdStrike	win/malicious_confidence_100% (D)
Cyren	W32/Keylogger.BD.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Spy.KeyLogger.NJK
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Keylogger.Kutaki-9969497-0
Kaspersky	HEUR:Trojan-Spy.Win32.KeyLogger.pef
Avast	Win32:Kutaki-A [Spy]
TrendMicro	TSPY_VBKEYLOG.SM
Trapmine	malicious.high.ml.score
SentinelOne	Static AI - Suspicious PE
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	HEUR:Trojan-Spy.Win32.KeyLogger.pef
Google	Detected
AhnLab-V3	Spyware/Win.Vbkeylog.R526413
Cylance	unsafe
TrendMicro-HouseCall	TSPY_VBKEYLOG.SM
Rising	Stealer.Kutaki!1.D278 (CLASSIC)
Ikarus	Trojan-Spy.Agent
Fortinet	W32/KeyLogger.ODN!tr
BitDefenderTheta	Gen:NN.ZevbaF.36132.Bo0@aydnObni
AVG	Win32:Kutaki-A [Spy]
DeepInstinct	MALICIOUS

Payment_Copy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All