Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 4, 2023, 11:13 a.m.	July 4, 2023, 11:15 a.m.

Size	762.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`50da9726e918f94a39afacf32db3e5fe`
SHA256	`96bde9151480b20318275c2c0e045dc13486a76cf81465e4e02ad97cf37140b0`
CRC32	`966FB4AC`
ssdeep	`12288:VPRdmMlUOv2nhg+kX0WmSJXkP4xEMlnXkr:VJddU7nS+FJSiPHMlnXk`
Yara	UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

Veekmvhuxdctye.exe "C:\Users\test22\AppData\Local\Temp\Veekmvhuxdctye.exe"
3052

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.17.214.67	Active	Moloch
104.26.5.15	Active	Moloch
172.67.75.166	Active	Moloch
164.124.101.2	Active	Moloch
213.91.128.133	Active	Moloch
45.143.201.238	Active	Moloch
62.122.184.92	Active	Moloch
80.66.75.4	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.122.184.92:431 -> 192.168.56.102:49448	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a0000 process_handle: 0xffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 4, 2023, 11:13 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 147456 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x01f91000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003aa00', u'virtual_address': u'0x00065000', u'entropy': 7.0577772054953085, u'name': u'DATA', u'virtual_size': u'0x0003a93c'}

entropy

7.0577772055

description

A section with a high entropy has been found

entropy

0.30814717477

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (7 events)

host	104.17.214.67
host	104.26.5.15
host	172.67.75.166
host	213.91.128.133
host	45.143.201.238
host	62.122.184.92
host	80.66.75.4

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Noon.4!c
Elastic	malicious (high confidence)
DrWeb	Trojan.DownLoader45.59916
McAfee	Artemis!50DA9726E918
Malwarebytes	Trojan.MalPack.DLF
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (W)
VirIT	Trojan.Win32.Genus.RSS
Cyren	W32/ModiLoader.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan-Spy.Win32.Noon.gen
Avast	Win32:MalwareX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Worm.bh
FireEye	Generic.mg.50da9726e918f94a
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Noon.Gen
Microsoft	Trojan:Win32/Leonem
ZoneAlarm	UDS:Trojan-Spy.Win32.Noon.gen
Google	Detected
VBA32	BScope.Trojan.Formbook
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.F0D1C00G323
Rising	Downloader.Agent!1.E646 (CLASSIC)
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.VT!tr
AVG	Win32:MalwareX-gen [Trj]
Cybereason	malicious.33173c
DeepInstinct	MALICIOUS

Veekmvhuxdctye.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All