Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 20, 2023, 9:33 a.m.	June 20, 2023, 9:38 a.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1a79aed033b7b222da1bfa1840ceace8`
SHA256	`e750e151e11eba9d0ab2f814dd24b2d1551eaf9cb95ab99e951d66619159219e`
CRC32	`7013B378`
ssdeep	`12288:wG+i1cTob5rpXuEq++p6xG5ssxODepysgSk9DyL1HUyIP9IylT8rhke6nuRs9U5w:wrkcG+p6U5U8ae6n+5N5tm`
Yara	UPX_Zero - UPX packed file Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

game1.exe "C:\Users\test22\AppData\Local\Temp\game1.exe"
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 20, 2023, 9:33 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75600d27 CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7560794a game1+0x16a30f @ 0x56a30f game1+0x169a06 @ 0x569a06 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 game1+0x19da @ 0x4019da RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2 exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b exception.instruction: movsd dword ptr es:[edi], dword ptr [esi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 408667 exception.address: 0x77903c5b registers.esp: 1636972 registers.edi: 7929856 registers.eax: 2005941312 registers.ebp: 1637176 registers.edx: 0 registers.ebx: 6981230 registers.esi: 3674713652 registers.ecx: 62	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 20, 2023, 9:33 a.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75600d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7560794a
game1+0x16a30f @ 0x56a30f
game1+0x169a06 @ 0x569a06
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
game1+0x19da @ 0x4019da
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: f3 a5 0b ca 75 05 5f 5e c2 0c 00 f3 a4 5f 5e c2
exception.symbol: RtlMoveMemory+0x1b RtlFindActivationContextSectionGuid-0x270 ntdll+0x63c5b
exception.instruction: movsd dword ptr es:[edi], dword ptr [esi]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 408667
exception.address: 0x77903c5b
registers.esp: 1636972
registers.edi: 7929856
registers.eax: 2005941312
registers.ebp: 1637176
registers.edx: 0
registers.ebx: 6981230
registers.esi: 3674713652
registers.ecx: 62

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 20, 2023, 9:33 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Convagent.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Gen:Variant.Zusy.472561
FireEye	Generic.mg.1a79aed033b7b222
ALYac	Gen:Variant.Zusy.472561
Malwarebytes	Trojan.Injector
VIPRE	Gen:Variant.Zusy.472561
Sangfor	Backdoor.Win32.Dcrat.V53o
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win32/DcRat.6bd9f5fe
K7GW	Trojan ( 005a70b31 )
K7AntiVirus	Trojan ( 005a70b31 )
Arcabit	Trojan.Zusy.D735F1
VirIT	Trojan.Win32.Genus.RFG
Cyren	W32/ABSpyware.TCVS-7486
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.BZOO
Cynet	Malicious (score: 99)
APEX	Malicious
ClamAV	Win.Dropper.QuasarRAT-10004400-0
Kaspersky	Backdoor.Win32.DcRat.jw
BitDefender	Gen:Variant.Zusy.472561
Avast	Win32:RATX-gen [Trj]
Tencent	Malware.Win32.Gencirc.10bef39c
Emsisoft	Gen:Variant.Zusy.472561 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.VbCrypt.250
TrendMicro	Backdoor.Win32.ASYNCRAT.YXDFPZ
McAfee-GW-Edition	BehavesLike.Win32.Infected.tm
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Win32.AsyncRAT.bot
Xcitium	Malware@#2kiu7p0a3ncvn
Microsoft	Trojan:Win32/AsyncRAT.B!MTB
ZoneAlarm	Backdoor.Win32.DcRat.jw
GData	Gen:Variant.Zusy.472561
Google	Detected
McAfee	GenericRXAA-AA!1A79AED033B7
MAX	malware (ai score=83)
VBA32	BScope.Trojan-Dropper.Injector
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXDFPZ
Rising	Trojan.JanaCrypter!1.E64A (CLASSIC)
Ikarus	Trojan.Win32.Injector
Fortinet	W32/BZOO!tr

game1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All