Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 18, 2023, 9:35 a.m.	April 18, 2023, 9:38 a.m.

Size	2.9MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`85150fc161f06e745f463388cd0fff4f`
SHA256	`6e49adb9932cd17f4b40af488ebf866d6de827dd7746ed1c47ed761c7f2ce4b6`
CRC32	`13F141E4`
ssdeep	`49152:iTuQ/+UDDq542HWdVlV7t2ftBl2fULWXBnWXg/wOy6vb3dvwM3Qh5h:iTu4+U/2QlVmtBaJw6z3Nwj`
Yara	UPX_Zero - UPX packed file MPRESS_Zero - MPRESS packed file IsPE64 - (no description) themida_packer - themida packer PE_Header_Zero - PE File Signature

hugo.exe "C:\Users\test22\AppData\Local\Temp\hugo.exe"
2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WAIT

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 18, 2023, 9:28 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603 VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243 VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb hugo+0x1fcb05 @ 0xf6cb05 GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff 0x8f7fff exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 3405096 registers.rsi: 23498752 registers.r10: 0 registers.rbx: 1992371952 registers.rsp: 3407352 registers.r11: 514 registers.r8: 64 registers.r9: 4 registers.rdx: 3406440 registers.r12: 0 registers.rbp: 0 registers.rdi: 14090607 registers.rax: 3404776 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 18, 2023, 9:28 a.m.

stacktrace:

RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x73993603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefd503243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefd5031fb
hugo+0x1fcb05 @ 0xf6cb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76c12ef0
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff
0x8f7fff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 3405096
registers.rsi: 23498752
registers.r10: 0
registers.rbx: 1992371952
registers.rsp: 3407352
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 3406440
registers.r12: 0
registers.rbp: 0
registers.rdi: 14090607
registers.rax: 3404776
registers.r13: 0

Foreign language identified in PE resource (25 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x008d7e80

size

0x00000144

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002c1a00', u'virtual_address': u'0x00001000', u'entropy': 7.9922721163022175, u'name': u'.MPRESS1', u'virtual_size': u'0x008f9000'}

entropy

7.9922721163

description

A section with a high entropy has been found

entropy

0.955322389575

description

Overall entropy of this PE file is high

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.Win32.ClipBanker.Z!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.66414830
FireEye	Generic.mg.85150fc161f06e74
CAT-QuickHeal	Trojan.ClipBanker
ALYac	Trojan.GenericKD.66414830
Malwarebytes	Trojan.FakeMS
CrowdStrike	win/malicious_confidence_100% (W)
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
BitDefender	Trojan.GenericKD.66414830
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
Gridinsoft	Ransom.Win64.Banker.sa
Arcabit	Trojan.Generic.D3F568EE
AhnLab-V3	Trojan/Win.Generic.C5412061
MAX	malware (ai score=86)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H07DG23
Rising	Trojan.ClipBanker!8.5FB (CLOUD)
Fortinet	Malicious_Behavior.SB
DeepInstinct	MALICIOUS

hugo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All