Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 14, 2023, 3:59 p.m.	June 14, 2023, 4:01 p.m.

Size	735.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`49e5db7cd2169dfc4d0e2011beccf2a0`
SHA256	`cf37a62447241bd1297b90113fd65f0d65cf9e6ae43906e66e012ff752c89a91`
CRC32	`23B69165`
ssdeep	`12288:6PiGaki31mKvsC1eksGuOH8czJwvx5cu9xScDHKt9l6Ba:6PukiFmWt6OH8cOb91y9l9`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

hh.exe "C:\Users\test22\AppData\Local\Temp\hh.exe"
3036

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2023, 3:59 p.m.	stacktrace: gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27 CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7574794a hh+0x1aff3 @ 0x41aff3 hh+0x1a5de @ 0x41a5de hh+0x1b256 @ 0x41b256 IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 hh+0x14830 @ 0x414830 IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 hh+0x16d2 @ 0x4016d2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0 exception.instruction: movzx eax, word ptr [esi + 0x14] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x58331e registers.esp: 1635324 registers.edi: 0 registers.eax: 0 registers.ebp: 1636396 registers.edx: 0 registers.ebx: 1961295872 registers.esi: 1044791170 registers.ecx: 47775776	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 14, 2023, 3:59 p.m.

stacktrace:

gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7574794a
hh+0x1aff3 @ 0x41aff3
hh+0x1a5de @ 0x41a5de
hh+0x1b256 @ 0x41b256
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
hh+0x14830 @ 0x414830
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
hh+0x16d2 @ 0x4016d2
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0
exception.instruction: movzx eax, word ptr [esi + 0x14]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x58331e
registers.esp: 1635324
registers.edi: 0
registers.eax: 0
registers.ebp: 1636396
registers.edx: 0
registers.ebx: 1961295872
registers.esi: 1044791170
registers.ecx: 47775776

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 14, 2023, 3:59 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f2000 process_handle: 0xffffffff	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 14, 2023, 3:59 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lazy.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.KillProc2.20520
MicroWorld-eScan	Gen:Variant.Lazy.350119
FireEye	Generic.mg.49e5db7cd2169dfc
McAfee	Artemis!49E5DB7CD216
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.vb
Alibaba	Trojan:Win32/Injector.c73001fb
CrowdStrike	win/malicious_confidence_100% (W)
BitDefenderTheta	Gen:NN.ZevbaF.36250.Tm3@aS9G2Bni
Cyren	W32/VB.AAB.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Injector.ETAN
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan.Win32.Strab.bld
BitDefender	Gen:Variant.Lazy.350119
Avast	Win32:RATX-gen [Trj]
Tencent	Win32.Trojan.Dropper.Ocnw
Emsisoft	Gen:Variant.Lazy.350119 (B)
F-Secure	Trojan.TR/Dropper.Gen
VIPRE	Gen:Variant.Lazy.350119
TrendMicro	TROJ_GEN.R014C0RFD23
McAfee-GW-Edition	BehavesLike.Win32.Trojan.bc
Trapmine	malicious.moderate.ml.score
Sophos	Mal/Trickbot-E
Ikarus	Trojan.Win32.Injector
GData	Win32.Packed.Kryptik.17NWS9
Webroot	W32.Malware.Gen
Avira	TR/Dropper.Gen
Arcabit	Trojan.Lazy.D557A7
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Wacatac.B!ml
Google	Detected
AhnLab-V3	Trojan/Win.Generic.R586538
Acronis	suspicious
ALYac	Gen:Variant.Lazy.350119
MAX	malware (ai score=87)
Malwarebytes	Backdoor.NJRat
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R014C0RFD23
Rising	Trojan.Injector!8.C4 (CLOUD)
SentinelOne	Static AI - Malicious PE
Fortinet	W32/Injector.DBRX!tr
AVG	Win32:RATX-gen [Trj]
Cybereason	malicious.e7e5f4
DeepInstinct	MALICIOUS

hh.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All