Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 24, 2023, 6:49 p.m.	May 24, 2023, 6:51 p.m.

Size	806.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`14d2501921d7cf94f36f5deb78c93982`
SHA256	`0b902145264ae6455a8d945c762dde3076642ca9447fef3828a743e714d0fb5d`
CRC32	`47436719`
ssdeep	`12288:j9Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHvNEw3:j9XyTFwtTpZ1E32POMHm0`
Yara	UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

Name	Response	Post-Analysis Lookup
cacerts.digicert.com	CNAME fp2e7a.wpc.2be4.phicdn.net CNAME fp2e7a.wpc.phicdn.net A 152.195.38.76	152.195.38.76
onedrive.live.com	CNAME l-0004.l-msedge.net CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-geo.onedrive.akadns.net CNAME web.fe.1drv.com CNAME odc-web-brs.onedrive.akadns.net A 13.107.42.13	13.107.42.13

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 13.107.42.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49163 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=onedrive.com	4e:11:98:32:9d:ab:e8:3b:be:4e:e9:05:86:88:8d:67:16:9b:c0:9b

packer

BobSoft Mini Delphi -> BoB / BobSoft

Time & API	Arguments	Status	Return	Repeated
__exception__ May 24, 2023, 6:49 p.m.	stacktrace: 0x3687b4e 0x3687b81 0x3687a9c 0x367ec3c 0x368eff6 0x36954a0 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x74663af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7466a535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7466a434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 57075184 registers.edi: 0 registers.eax: 57075184 registers.ebp: 57075264 registers.edx: 0 registers.ebx: 57076988 registers.esi: 58568752 registers.ecx: 7	1	0	0

request	GET http://onedrive.live.com/download?cid=4FE79169F14FE906&resid=4FE79169F14FE906%21197&authkey=AJx2lN6RUxuMay0
request	GET http://cacerts.digicert.com/DigiCertGlobalRootG2.crt

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 24, 2023, 6:49 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 24, 2023, 6:49 p.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x730f2000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2023, 6:49 p.m.	process_identifier: 3032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x03671000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 24, 2023, 6:49 p.m.	flags: 15 family: 0		111	0

section

{u'size_of_data': u'0x0003d000', u'virtual_address': u'0x00079000', u'entropy': 7.102832232599013, u'name': u'DATA', u'virtual_size': u'0x0003ce98'}

entropy

7.1028322326

description

A section with a high entropy has been found

entropy

0.302917442582

description

Overall entropy of this PE file is high

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
FireEye	Generic.mg.14d2501921d7cf94
Cybereason	malicious.bf99b8
BitDefenderTheta	Gen:NN.ZelphiCO.36196.YG0@aasFMLki
Symantec	Downloader
ESET-NOD32	Win32/TrojanDownloader.ModiLoader.C
APEX	Malicious
Cynet	Malicious (score: 99)
Kaspersky	VHO:Backdoor.Win32.Androm.gen
Avast	Win32:Evo-gen [Trj]
F-Secure	Heuristic.HEUR/AGEN.1331058
Sophos	Generic ML PUA (PUA)
Avira	HEUR/AGEN.1331058
ZoneAlarm	VHO:Backdoor.Win32.Androm.gen
Google	Detected
Cylance	unsafe
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Formbook.AA!tr
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (D)

po-docs-may24.exe