Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 22, 2023, 10:05 a.m.	June 22, 2023, 10:07 a.m.

Size	706.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4954636fe876459d1a8654235bec6f3c`
SHA256	`7cfdbb46f90befe58e3f7487c9a807328f69c223fa0fc240ce292bb7d85ef099`
CRC32	`0DD5C12C`
ssdeep	`12288:mTlUbdpW5/5o8FF2FENOeqBWJz4RC7AptkCizoHm8gn7hQEL:mTqC/5otAqYOo8ptkCizoH9gnGE`
Yara	UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

MEMOVACATIONLIST7548100283DH4746EYHH.exe "C:\Users\test22\AppData\Local\Temp\MEMOVACATIONLIST7548100283DH4746EYHH.exe"
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73442000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049e000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xf67bf7e9 process_handle: 0xffffffff		3221225477

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 22, 2023, 10:05 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00551000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00046800', u'virtual_address': u'0x00057000', u'entropy': 6.836624639083179, u'name': u'DATA', u'virtual_size': u'0x00046678'}

entropy

6.83662463908

description

A section with a high entropy has been found

entropy

0.4

description

Overall entropy of this PE file is high

File has been identified by 40 AntiVirus engines on VirusTotal as malicious (40 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.473631
FireEye	Generic.mg.4954636fe876459d
Malwarebytes	Trojan.Downloader
Sangfor	Trojan.Win32.Save.a
Arcabit	Trojan.Zusy.D73A1F
Cyren	W32/Delf.LALX-8428
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.VU
APEX	Malicious
Kaspersky	HEUR:Trojan-Spy.Win32.Stealer.gen
BitDefender	Gen:Variant.Zusy.473631
Avast	Win32:DropperX-gen [Drp]
Tencent	Win32.Trojan-Spy.Stealer.Ztjl
Emsisoft	Gen:Variant.Zusy.473631 (B)
DrWeb	Trojan.Siggen20.64695
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Google	Detected
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/AveMaria.ZY!MTB
ZoneAlarm	HEUR:Trojan-Spy.Win32.Stealer.gen
GData	Gen:Variant.Zusy.473631
Cynet	Malicious (score: 100)
McAfee	Artemis!4954636FE876
VBA32	BScope.Trojan.Formbook
Cylance	unsafe
Panda	Trj/GdSda.A
Rising	Downloader.Agent!1.E646 (CLASSIC)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.VT!tr
BitDefenderTheta	Gen:NN.ZelphiCO.36270.SGW@aaANZlj
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (W)

MEMOVACATIONLIST7548100283DH4746EYHH.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All