Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

vp2023.exe

Malicious Library UPX PE32 MZP Format PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 21, 2023, 4:03 p.m.	June 21, 2023, 4:05 p.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`38bd8cf9d900fa629d1844b215a3d4d0`
SHA256	`c17ef1f5dbdfd1f80ad5d6049492f83a44ad74eb8c56202af924b8d83a6e1b89`
CRC32	`1910E760`
ssdeep	`24576:zOEYDQe8H+5c5U64sOkysl86+jv+9v9OM8JSMe7R:zvH0X2d9Ole7`
Yara	UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

vp2023.exe "C:\Users\test22\AppData\Local\Temp\vp2023.exe"
2548

Name	Response	Post-Analysis Lookup
drownways.com	A 149.100.151.190	149.100.151.190

IP Address	Status	Action
149.100.151.190	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 149.100.151.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 149.100.151.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49164 -> 149.100.151.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 149.100.151.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 149.100.151.190:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49162 -> 149.100.151.190:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 149.100.151.190:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49164	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49162	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49163 -> 149.100.151.190:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.100.151.190:443 -> 192.168.56.101:49164	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49162	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49163	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 149.100.151.190:443 -> 192.168.56.101:49163	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 region_size: 290816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 region_size: 212992 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 21, 2023, 4:03 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 241664 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1	0	0

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 21, 2023, 4:03 p.m.	show_type: 0 filepath_r: ikml parameters: filepath: ikml		0	0

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (moderate confidence)
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	VHO:Trojan-Banker.Win32.ChePro.gen
Avast	Win32:CrypterX-gen [Trj]
ZoneAlarm	VHO:Trojan-Banker.Win32.ChePro.gen
Rising	Trojan.ChePro!8.3273 (RDMK:cmRtazpDPOlsciicSryjHP5fxJDy)
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:CrypterX-gen [Trj]
CrowdStrike	win/malicious_confidence_70% (D)