popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

NewPurchaseOrderPO838735354643332735536345544.exe

Malicious Library UPX PE32 MZP Format PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 27, 2023, 9:39 a.m. June 27, 2023, 9:42 a.m.
Size 983.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 08dc73443b35d4dc882d052c10457f4a
SHA256 1c24ed06a4d38c863c4016a0489f66934b9167269b958a17dcdbb6ecae3baf18
CRC32 0D2A5D14
ssdeep 12288:zWI+n1cF0p4WhPQbXfu/i7Nx29T1CWaXqIov5n0fc8MMvdgV25wqYyEyHcsbOonS:z28tWhPKXf9PvXqgfvcQrEyHFbOwV
Yara
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73442000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xf2fdcfe9
process_handle: 0xffffffff
3221225477 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 159744
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x02081000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0005fa00', u'virtual_address': u'0x00076000', u'entropy': 7.49018761883051, u'name': u'DATA', u'virtual_size': u'0x0005f844'} entropy 7.49018761883 description A section with a high entropy has been found
entropy 0.389312977099 description Overall entropy of this PE file is high
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
FireEye Generic.mg.08dc73443b35d4dc
McAfee Artemis!08DC73443B35
Sangfor Trojan.Win32.Save.a
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.ModiLoader.VU
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky VHO:Backdoor.Win32.Androm.gen
Avast DropperX-gen [Drp]
McAfee-GW-Edition BehavesLike.Win32.BadFile.dc
Trapmine suspicious.low.ml.score
SentinelOne Static AI - Suspicious PE
Microsoft Trojan:Win32/Leonem
ZoneAlarm VHO:Backdoor.Win32.Androm.gen
Google Detected
VBA32 BScope.Trojan.Formbook
Cylance unsafe
Rising Downloader.Agent!1.E646 (CLASSIC)
Ikarus Trojan.Win32.Injector
Fortinet W32/ModiLoader.VT!tr
AVG DropperX-gen [Drp]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_70% (D)