Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 13, 2023, 11:19 p.m.	June 13, 2023, 11:23 p.m.

Size	448.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`18945f8d9550aa5e349a1cee5751a844`
SHA256	`050e0336e8dd0a3af979e5ff6102c4ed3a9543e5cf58becac31acbe2eee7065c`
CRC32	`9281F26B`
ssdeep	`6144:BXPF7CB0BPVPTRHD3LUXUKG9Or/+hbo5lpDOKgg+jBI/9WjBI/9N1xGWMAyAZ2:BE0BdFeUKGIr/95lpaKPxTTZ2`
Yara	UPX_Zero - UPX packed file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description)

moja.exe "C:\Users\test22\AppData\Local\Temp\moja.exe"
2568

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.111.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.199.108.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.199.108.133:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 185.199.108.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49162 -> 185.199.108.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

CUSTOM

One or more processes crashed (12 events)

Time & API	Arguments	Status
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636196 registers.edi: 1636472 registers.eax: 1636196 registers.ebp: 1636276 registers.edx: 0 registers.ebx: 5471768 registers.esi: 1636472 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636380 registers.edi: 5471768 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1
__exception__ June 13, 2023, 11:19 p.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636876 registers.edi: 5471768 registers.eax: 1636876 registers.ebp: 1636956 registers.edx: 0 registers.ebx: 5471768 registers.esi: 5471768 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 13, 2023, 11:19 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 13, 2023, 11:19 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(Default)

reg_value

C:\Users\test22\AppData\Roaming\\

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Blocker.V!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67366803
FireEye	Generic.mg.18945f8d9550aa5e
McAfee	Artemis!18945F8D9550
Malwarebytes	Inject.Exploit.Shellcode.DDS
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Ransom:Win32/Blocker.f01f697e
Arcabit	Trojan.Tedy.D4EE51
Cyren	W32/ABRisk.GCGM-7379
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Injector.ESAP
Cynet	Malicious (score: 99)
APEX	Malicious
Kaspersky	Trojan-Ransom.Win32.Blocker.ziki
BitDefender	Trojan.GenericKD.67366803
Avast	Win32:RATX-gen [Trj]
Emsisoft	Trojan.GenericKD.67366803 (B)
VIPRE	Gen:Variant.Tedy.323153
TrendMicro	Ransom_Blocker.R002C0DF323
McAfee-GW-Edition	RDN/Ransom
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Generic-S
Avira	TR/Injector.sbhop
Antiy-AVL	Trojan/Win32.Injector
Microsoft	Trojan:Win32/Pony.AT!MTB
ZoneAlarm	Trojan-Ransom.Win32.Blocker.ziki
GData	Trojan.GenericKD.67366803
Google	Detected
VBA32	Malware-Cryptor.VB.gen.1
ALYac	Gen:Variant.Tedy.323153
MAX	malware (ai score=84)
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	Ransom_Blocker.R002C0DF323
Rising	Backdoor.DcRat!8.129D9 (TFE:5:dHsoB4Jq8qS)
Ikarus	Trojan-Spy.Agent
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.ERLH!tr.dldr
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS

moja.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All