popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dr_mails_.ipb.exe

AntiVM PE32 AntiDebug PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 15, 2023, 7:25 a.m. June 15, 2023, 7:28 a.m.
Size 432.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 956d79812c98bbb5f5ba609cba79d5ee
SHA256 cda1ea0f3ee3f632981cad049258b5054acce691b98ceba725c14c6d9ff02077
CRC32 239F20C4
ssdeep 6144:5aaOQpfmmD7GFvjzQDlfHVuo4j5sh9Mk3oiHwMeEdyB7IuqGNqVZnnB9paDpeVtt:5aaOWzqunIWroiHwffSuZNqVNnlIYVP
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
dr_mails_+0x2bbd @ 0x162bbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 4586476
registers.edi: 301980
registers.eax: 0
registers.ebp: 4586512
registers.edx: 3152780718
registers.ebx: 265746570
registers.esi: 4586892
registers.ecx: 168053109
1 0 0

__exception__

 stacktrace: 
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0xf01fb1d9
registers.esp: 2227944
registers.edi: 0
registers.eax: 1968976824
registers.ebp: 2227952
registers.edx: 4028608985
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 561152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 430080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 348160
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2628
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00001198
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $8ä?Ì|…QŸ|…QŸ|…QŸ¯÷Pžy…QŸ|…PŸ…QŸ«øYžo…QŸ«øRž~…QŸ«øQž}…QŸ«øSž}…QŸRich|…QŸPEL+&‡dà! #šRɱ° @°á˜.text8™š `.rdatah2°4ž@@.dataPðÒ@À.relocØ@B
base_address: 0x000f0000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer: çÔ¼¯>ä–5dª…#­ÁµivJÆUQú}Úý†ôµfUÜÙ;¸’{ÚÍÇpvE@›‚\ eÐÞ)¿ â%!3¶hGj”#·éøÝV&*ÎCåM¤0Rۏ—G@^šÿì"%5]îC¥(}jGʵjI33¿_À«ö̞U8ñÒ±D•ÿL?n@Òr¹×øLÂ$°áLBxñ ²¿±­‡y¡"9ãà†ÏÙ19g ²÷N.Â:•ýF6#;NQx—`®çe6ÄM²¥yÉf¶(+± öO¹ƒÄ±ÈP†T†äþtenuirostralÑè+n^g¼yµ‹Çǹ±jåÑÈúƨŒT|ƒKžz¨Û«!»‘öüì0ú›t®`[æ͙Ñ*LèšïØçqE<ßQ벜+AýbSTm¦Ž¾Å¦hvò °Û@ßökÍ ìºþ?PÅdinners—c±aUMQ»-u|µÅÞù¦)1ke5ÛPÔOforayersricinoleinMetanym‚ÚƒïrFWžªúüA]òDÖôiá|š=œdbº/Í4·¹òc­ÿy´À±p8æힵTû)ÍÌZCþö¯_ÚÄkM€Ë§5T(««€Nk=­÷$-(ë¤ ×Ãþ]È^Á©m'mk÷XOŠŸ­%Îâ̦ê«1³mRBm,jâVqÞõËGÕ Õ°ß+j Unhouseled딃ۆlâeóÅÖêhe^F{ÃUw玢X?é6ïÏ+•Ò¯#ÓiÙà»YîeCjýÝènz߫ǘ—I\D·Hޚ¶x³p*\¢ÌÌJúA§ößPû¥ÍÛD‘Áëñ³ñz*½˜# Q°¥¡Øu¦‹ˆmwsemiadhesively"IÓÃSpeculumF粖ܳbÒœƒcompanioned$Š™L¼F[çîNƒì ‘ywôÒÉ|H¼µ‰;äÓÇêþx ç—3LýhudËã°r­retroinfectionä K6¹Ö](lAÕA ºçèžÔÏ&š2ÝO“gœskeiningí¤/åPointillistBarotaxisHaematozzoa¬‰.QuinquevalencePetrify?¿û ªäIÚXT ¼äÉ‹nøUnmaceratedbeswitch’dϋ†KOàûùê,¡ÙkÁ”˜IirrevertibleThiopentalG:ÝiirrevertibleThiopentaleë"æ4½·ÇëOverdescriptivenessLiggat/-ì@ý.;YvM_Q¸·±èJKz®$l›Ž©ÊforayersJejunatorKetubaUnmaceratedp8tG/hbï’ð°\MåwK¼J
base_address: 0x0011f000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer: 
base_address: 0x7efde008
process_identifier: 2628
process_handle: 0x00001198
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $8ä?Ì|…QŸ|…QŸ|…QŸ¯÷Pžy…QŸ|…PŸ…QŸ«øYžo…QŸ«øRž~…QŸ«øQž}…QŸ«øSž}…QŸRich|…QŸPEL+&‡dà! #šRɱ° @°á˜.text8™š `.rdatah2°4ž@@.dataPðÒ@À.relocØ@B
base_address: 0x000f0000
process_identifier: 2628
process_handle: 0x00001198
1 1 0
Process injection Process 2552 called NtSetContextThread to modify thread in remote process 2628
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2228044
registers.edi: 0
registers.eax: 1094105
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00001194
process_identifier: 2628
1 0 0
Process injection Process 2552 resumed a thread in remote process 2628
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00001194
suspend_count: 1
process_identifier: 2628
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2632
thread_handle: 0x00001194
process_identifier: 2628
current_directory:
filepath: C:\Windows\SysWOW64\wermgr.exe
track: 1
command_line:
filepath_r: C:\Windows\SysWOW64\wermgr.exe
stack_pivoted: 0
creation_flags: 134742028 (CREATE_NO_WINDOW|CREATE_SUSPENDED|DETACHED_PROCESS|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00001198
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2628
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00001198
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $8ä?Ì|…QŸ|…QŸ|…QŸ¯÷Pžy…QŸ|…PŸ…QŸ«øYžo…QŸ«øRž~…QŸ«øQž}…QŸ«øSž}…QŸRich|…QŸPEL+&‡dà! #šRɱ° @°á˜.text8™š `.rdatah2°4ž@@.dataPðÒ@À.relocØ@B
base_address: 0x000f0000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x000f1000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0011b000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer: çÔ¼¯>ä–5dª…#­ÁµivJÆUQú}Úý†ôµfUÜÙ;¸’{ÚÍÇpvE@›‚\ eÐÞ)¿ â%!3¶hGj”#·éøÝV&*ÎCåM¤0Rۏ—G@^šÿì"%5]îC¥(}jGʵjI33¿_À«ö̞U8ñÒ±D•ÿL?n@Òr¹×øLÂ$°áLBxñ ²¿±­‡y¡"9ãà†ÏÙ19g ²÷N.Â:•ýF6#;NQx—`®çe6ÄM²¥yÉf¶(+± öO¹ƒÄ±ÈP†T†äþtenuirostralÑè+n^g¼yµ‹Çǹ±jåÑÈúƨŒT|ƒKžz¨Û«!»‘öüì0ú›t®`[æ͙Ñ*LèšïØçqE<ßQ벜+AýbSTm¦Ž¾Å¦hvò °Û@ßökÍ ìºþ?PÅdinners—c±aUMQ»-u|µÅÞù¦)1ke5ÛPÔOforayersricinoleinMetanym‚ÚƒïrFWžªúüA]òDÖôiá|š=œdbº/Í4·¹òc­ÿy´À±p8æힵTû)ÍÌZCþö¯_ÚÄkM€Ë§5T(««€Nk=­÷$-(ë¤ ×Ãþ]È^Á©m'mk÷XOŠŸ­%Îâ̦ê«1³mRBm,jâVqÞõËGÕ Õ°ß+j Unhouseled딃ۆlâeóÅÖêhe^F{ÃUw玢X?é6ïÏ+•Ò¯#ÓiÙà»YîeCjýÝènz߫ǘ—I\D·Hޚ¶x³p*\¢ÌÌJúA§ößPû¥ÍÛD‘Áëñ³ñz*½˜# Q°¥¡Øu¦‹ˆmwsemiadhesively"IÓÃSpeculumF粖ܳbÒœƒcompanioned$Š™L¼F[çîNƒì ‘ywôÒÉ|H¼µ‰;äÓÇêþx ç—3LýhudËã°r­retroinfectionä K6¹Ö](lAÕA ºçèžÔÏ&š2ÝO“gœskeiningí¤/åPointillistBarotaxisHaematozzoa¬‰.QuinquevalencePetrify?¿û ªäIÚXT ¼äÉ‹nøUnmaceratedbeswitch’dϋ†KOàûùê,¡ÙkÁ”˜IirrevertibleThiopentalG:ÝiirrevertibleThiopentaleë"æ4½·ÇëOverdescriptivenessLiggat/-ì@ý.;YvM_Q¸·±èJKz®$l›Ž©ÊforayersJejunatorKetubaUnmaceratedp8tG/hbï’ð°\MåwK¼J
base_address: 0x0011f000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00120000
process_identifier: 2628
process_handle: 0x00001198
1 1 0

NtGetContextThread

 thread_handle: 0x00001194
1 0 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2228044
registers.edi: 0
registers.eax: 1094105
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00001194
process_identifier: 2628
1 0 0

WriteProcessMemory

 buffer: 
base_address: 0x7efde008
process_identifier: 2628
process_handle: 0x00001198
1 1 0

NtResumeThread

 thread_handle: 0x00001194
suspend_count: 1
process_identifier: 2628
1 0 0