Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2023, 3:11 p.m.	May 25, 2023, 3:11 p.m.

Size	806.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`14d2501921d7cf94f36f5deb78c93982`
SHA256	`0b902145264ae6455a8d945c762dde3076642ca9447fef3828a743e714d0fb5d`
CRC32	`47436719`
ssdeep	`12288:j9Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHvNEw3:j9XyTFwtTpZ1E32POMHm0`
Yara	Dbatloader_IN - Dbatloader UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

Name	Response	Post-Analysis Lookup
onedrive.live.com	CNAME l-0004.l-msedge.net CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-geo.onedrive.akadns.net CNAME web.fe.1drv.com CNAME odc-web-brs.onedrive.akadns.net A 13.107.42.13	13.107.43.13

IP Address	Status	Action
13.107.42.13	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 13.107.42.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=onedrive.com	4e:11:98:32:9d:ab:e8:3b:be:4e:e9:05:86:88:8d:67:16:9b:c0:9b

packer

BobSoft Mini Delphi -> BoB / BobSoft

Time & API	Arguments	Status	Return	Repeated
__exception__ May 25, 2023, 3:11 p.m.	stacktrace: 0x21f7b4e 0x21f7b81 0x21f7a9c 0x21eec3c 0x21feff6 0x22054a0 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x74143af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7414a535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7414a434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 59368944 registers.edi: 0 registers.eax: 59368944 registers.ebp: 59369024 registers.edx: 0 registers.ebx: 59370748 registers.esi: 58241072 registers.ecx: 7	1	0	0

request

GET http://onedrive.live.com/download?cid=4FE79169F14FE906&resid=4FE79169F14FE906%21197&authkey=AJx2lN6RUxuMay0

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 25, 2023, 3:11 p.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory May 25, 2023, 3:11 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1	0	0

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 25, 2023, 3:11 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x021e1000 process_handle: 0xffffffff	1	0	0

section

{u'size_of_data': u'0x0003d000', u'virtual_address': u'0x00079000', u'entropy': 7.102832232599013, u'name': u'DATA', u'virtual_size': u'0x0003ce98'}

entropy

7.1028322326

description

A section with a high entropy has been found

entropy

0.302917442582

description

Overall entropy of this PE file is high

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Androm.4!c
Cynet	Malicious (score: 99)
Cylance	unsafe
Sangfor	Downloader.Win32.Agent.Va3k
Cybereason	malicious.bf99b8
Symantec	Downloader
Elastic	malicious (high confidence)
ESET-NOD32	Win32/TrojanDownloader.ModiLoader.C
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Stealer.gen
Avast	Win32:Evo-gen [Trj]
F-Secure	Heuristic.HEUR/AGEN.1331058
McAfee-GW-Edition	BehavesLike.Win32.BadFile.ch
FireEye	Generic.mg.14d2501921d7cf94
Sophos	Mal/Generic-S
Avira	HEUR/AGEN.1331058
Kingsoft	malware.kb.a.991
Microsoft	Trojan:Win32/Wacatac.B!ml
Google	Detected
McAfee	Artemis!14D2501921D7
Malwarebytes	Generic.Malware/Suspicious
Rising	Stealer.Agent!8.C2 (CLOUD)
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Formbook.AA!tr
BitDefenderTheta	Gen:NN.ZelphiCO.36196.YG0@aasFMLki
AVG	Win32:Evo-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (D)

po-docs-may24.exe