popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

12.ocx

Generic Malware UPX Malicious Library VMProtect PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 3, 2023, 9:22 a.m. May 3, 2023, 9:28 a.m.
Size 924.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c7c3f41117bfe6c2635686e7dc2bfc65
SHA256 12ba6e9ec28e702a832577ad78d074db366336d68033c717f72ec2a0ab6cb94a
CRC32 6D26B29D
ssdeep 12288:Jjx/uFxRp2kqQh+8++egiHAtc6HrriDkwtGfDDOLMb7gOADfr9Tv4gXS6:xx/WxRp0B+AFeukDDXXyDfRjXi
Yara
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • VMProtect_Zero - VMProtect packed file
  • Malicious_Library_Zero - Malicious_Library
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
6.cmananan.com
A 27.124.46.157
27.124.46.157
IP Address Status Action
164.124.101.2 Active Moloch
27.124.46.157 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp0
section .vmp1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 57344
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00401000
process_handle: 0xffffffff
1 0 0
description 12.ocx tried to sleep 193 seconds, actually delayed analysis time by 193 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9931620352
free_bytes_available: 9931620352
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c75c0 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c75c0 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c75c0 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c75c0 size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c75c0 size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x001c7a28 size 0x0002b07c
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 1044
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: mobsync.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: wsqmcons.exe
process_identifier: 804
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: sdclt.exe
process_identifier: 508
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: taskhost.exe
process_identifier: 800
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: cmd.exe
process_identifier: 316
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: SearchProtocolHost.exe
process_identifier: 1268
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: SearchFilterHost.exe
process_identifier: 1608
1 1 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 292
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x000b6000', u'virtual_address': u'0x0010d000', u'entropy': 7.8977032802278915, u'name': u'.vmp1', u'virtual_size': u'0x000b58b3'} entropy 7.89770328023 description A section with a high entropy has been found
entropy 0.791304347826 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0

Process32NextW

 snapshot_handle: 0x00000270
process_name: pw.exe
process_identifier: 6619182
0 0
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
Bkav W32.AIDetectMalware
MicroWorld-eScan Gen:Variant.Jaik.106867
FireEye Generic.mg.c7c3f41117bfe6c2
ALYac Gen:Variant.Jaik.106867
Malwarebytes Backdoor.Farfli
K7AntiVirus Trojan ( 7000001c1 )
K7GW Trojan ( 7000001c1 )
Cybereason malicious.117bfe
Arcabit Trojan.Jaik.D1A173
BitDefenderTheta AI:Packer.DFBD157A1F
Cyren W32/Farfli.IP.gen!Eldorado
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Packed.VMProtect.ABO
APEX Malicious
Kaspersky VHO:Backdoor.Win32.Convagent.gen
BitDefender Gen:Variant.Jaik.106867
Avast Win32:RATX-gen [Trj]
Emsisoft Gen:Variant.Jaik.106867 (B)
F-Secure Trojan.TR/Black.Gen2
VIPRE Gen:Variant.Jaik.106867
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.high.ml.score
Sophos Mal/VMProtBad-A
Ikarus Trojan.Win32.VMProtect
Google Detected
Avira TR/Black.Gen2
Microsoft Trojan:Win32/Farfli.DSK!MTB
ZoneAlarm VHO:Backdoor.Win32.Convagent.gen
GData Gen:Variant.Jaik.106867
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Farfli.R573513
MAX malware (ai score=87)
VBA32 BScope.Backdoor.Farfli
Cylance unsafe
Panda Trj/Genetic.gen
Rising Trojan.Generic@AI.99 (RDMK:cmRtazrD+6FZYRn28VMRH45Kk1IC)
SentinelOne Static AI - Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Zard.30!tr
AVG Win32:RATX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_90% (D)