popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sp.exe

Malicious Library UPX PE32 MZP Format PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 17, 2023, 4:36 p.m. July 17, 2023, 4:42 p.m.
Size 684.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bcaf6001ab90614008b635fc7dcfe7bf
SHA256 3c2660c8eb5e8c66e608962ddb6a5ec9e58c1f948e4b9bc54a998a79823a9937
CRC32 21698232
ssdeep 12288:exndS6phb/cci16UFHRT+fv8ASQYmnwxIRP0OHLsChB:e1pZ/e6U7q3yLmnwKB0OZh
Yara
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1932
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00499000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 147456
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x01e61000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00038000', u'virtual_address': u'0x00061000', u'entropy': 6.951799800215601, u'name': u'DATA', u'virtual_size': u'0x00037ec4'} entropy 6.95179980022 description A section with a high entropy has been found
entropy 0.327964860908 description Overall entropy of this PE file is high
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_60% (D)
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.ModiLoader.VW
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky VHO:Backdoor.Win32.Remcos.gen
Avast DropperX-gen [Drp]
FireEye Generic.mg.bcaf6001ab906140
SentinelOne Static AI - Suspicious PE
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm HEUR:Trojan-Downloader.Win32.Delf.gen
Google Detected
BitDefenderTheta Gen:NN.ZelphiCO.36318.QGW@aC5EBpkk
VBA32 Malware-Cryptor.Inject.gen
Cylance unsafe
Rising Downloader.Agent!1.E646 (CLASSIC)
Ikarus Trojan-Downloader.Win32.Banload
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/ModiLoader.VT!tr
AVG DropperX-gen [Drp]
Cybereason malicious.5dda01
DeepInstinct MALICIOUS