Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2023, 4:21 p.m.	April 16, 2023, 4:30 p.m.

Size	2.6MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`e30ecf9397dd0df9222d8b3011cd9816`
SHA256	`d3ec01a6b89cd8c7e5e52cd5bb60ca307b14e7a5b417ab0eae7160dc75e6a314`
CRC32	`7048F3C7`
ssdeep	`49152:iNdLWowTt/woYqVc+gffn6I79tb5myweSuTZ0NZlfDCWWqYweUMNhmd71Labv9V6:iNdLs6xp+g6Cb5mywe/Z0zAWWXweUMzn`
Yara	UPX_Zero - UPX packed file MPRESS_Zero - MPRESS packed file IsPE64 - (no description) PE_Header_Zero - PE File Signature

update_v103.exe "C:\Users\test22\AppData\Local\Temp\update_v103.exe"
2552

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WAIT

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 16, 2023, 4:21 p.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb update_v103+0x1fcb05 @ 0x4ecb05 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0 update_v103+0x4dcfff @ 0x7ccfff GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0 update_v103+0x7ce000 @ 0xabe000 update_v103+0x1000 @ 0x2f1000 update_v103+0x4dafd1 @ 0x7cafd1 0x7fffffd4000 update_v103+0x7cf085 @ 0xabf085 0x7fffffd4000 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 14284136 registers.rsi: 11264000 registers.r10: 0 registers.rbx: 1992371952 registers.rsp: 14286456 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 14285480 registers.r12: 0 registers.rbp: 0 registers.rdi: 3080559 registers.rax: 14283816 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 16, 2023, 4:21 p.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb
update_v103+0x1fcb05 @ 0x4ecb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
update_v103+0x4dcfff @ 0x7ccfff
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
update_v103+0x7ce000 @ 0xabe000
update_v103+0x1000 @ 0x2f1000
update_v103+0x4dafd1 @ 0x7cafd1
0x7fffffd4000
update_v103+0x7cf085 @ 0xabf085
0x7fffffd4000

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 14284136
registers.rsi: 11264000
registers.r10: 0
registers.rbx: 1992371952
registers.rsp: 14286456
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 14285480
registers.r12: 0
registers.rbp: 0
registers.rdi: 3080559
registers.rax: 14283816
registers.r13: 0

Foreign language identified in PE resource (25 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x007c1df0

size

0x00000144

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00297600', u'virtual_address': u'0x00001000', u'entropy': 7.9999358645880125, u'name': u'.MPRESS1', u'virtual_size': u'0x007ce000'}

entropy

7.99993586459

description

A section with a high entropy has been found

entropy

0.980961182994

description

Overall entropy of this PE file is high

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Lionic	Trojan.Win32.ClipBanker.Z!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.66377002
CAT-QuickHeal	Trojan.ClipBanker
ALYac	Trojan.GenericKD.66377002
Malwarebytes	Malware.AI.4140650064
Sangfor	Banker.Win32.Clipbanker.V3gx
K7AntiVirus	Trojan ( 005a24431 )
Alibaba	TrojanBanker:Win32/ClipBanker.81d67219
K7GW	Trojan ( 005a24431 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D3F4D52A
Cyren	W64/ABRisk.YACG-0177
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win64/Packed.Themida.OT
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	Trojan-Banker.Win32.ClipBanker.xtw
BitDefender	Trojan.GenericKD.66377002
Avast	Win64:Trojan-gen
Tencent	Win32.Trojan-Banker.Clipbanker.Timw
Emsisoft	Trojan.GenericKD.66377002 (B)
F-Secure	Trojan.TR/Spy.Banker.zidex
VIPRE	Trojan.GenericKD.66377002
McAfee-GW-Edition	BehavesLike.Win64.Trojan.vc
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.e30ecf9397dd0df9
Sophos	Mal/Generic-S
Avira	TR/Spy.Banker.zidex
Antiy-AVL	Trojan[Packed]/Win64.Themida
Gridinsoft	Ransom.Win64.Sabsik.sa
Microsoft	Trojan:Win64/ClipBanker!MSR
ZoneAlarm	Trojan-Banker.Win32.ClipBanker.xtw
GData	Trojan.GenericKD.66377002
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5412061
Acronis	suspicious
McAfee	Artemis!E30ECF9397DD
MAX	malware (ai score=82)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R03BH0CDE23
Rising	Trojan.ClipBanker!8.5FB (CLOUD)
Ikarus	Trojan.Win64.Themida
Fortinet	Malicious_Behavior.SB
AVG	Win64:Trojan-gen
DeepInstinct	MALICIOUS

update_v103.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All