Summary | ZeroBOX

saqoap.exe

Malicious Library UPX PE32 MZP Format PE File
Category Machine Started Completed
FILE s1_win7_x6403_us July 21, 2023, 12:58 p.m. July 21, 2023, 1:01 p.m.
Size 789.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8c1e52ac9553fab121ee950749fe1d31
SHA256 b77daf934032129b309e2cb8b32fb54cffba2691768520d5c6190cb9ba15a059
CRC32 42212517
ssdeep 24576:rk/A25GoqxIJs7ks3XJrPz6cDCnvMhqv9:rKAKGj7ks35rPmaCnvMsv9
Yara
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 1000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0018f000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 1000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 143360
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x01f71000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0003c400', u'virtual_address': u'0x00072000', u'entropy': 7.086541381771238, u'name': u'DATA', u'virtual_size': u'0x0003c334'} entropy 7.08654138177 description A section with a high entropy has been found
entropy 0.30564362714 description Overall entropy of this PE file is high
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Gen:Variant.Jaik.156859
FireEye Generic.mg.8c1e52ac9553fab1
Malwarebytes Trojan.MalPack.DLF
Sangfor Downloader.Win32.Modiloader.Vsyp
K7AntiVirus Trojan-Downloader ( 005a85951 )
Alibaba TrojanDownloader:Win32/ModiLoader.5daab9fc
K7GW Trojan-Downloader ( 005a85951 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Jaik.D264BB
Cyren W32/ModiLoader.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDownloader.ModiLoader.VW
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky HEUR:Trojan-PSW.Win32.DarkCloud.gen
BitDefender Trojan.GenericKD.68274508
Avast Win32:DropperX-gen [Drp]
Sophos Mal/Generic-S
F-Secure Trojan.TR/AD.DelfDownloader.wsqeh
DrWeb Trojan.Inject4.59209
VIPRE Gen:Variant.Jaik.156859
TrendMicro TROJ_GEN.R002C0XGK23
McAfee-GW-Edition BehavesLike.Win32.Generic.bh
Emsisoft Trojan.GenericKD.68274508 (B)
Ikarus Trojan.Win32.Bublik
Webroot W32.Trojan.Gen
Avira TR/AD.DelfDownloader.wsqeh
MAX malware (ai score=84)
Antiy-AVL Trojan[Downloader]/Win32.Modiloader
Microsoft Trojan:Win32/Remcos.ARC!MTB
ZoneAlarm HEUR:Trojan-PSW.Win32.DarkCloud.gen
GData Trojan.GenericKD.68274508
Google Detected
AhnLab-V3 Trojan/Win.Generic.R592831
McAfee Artemis!8C1E52AC9553
VBA32 Malware-Cryptor.Inject.gen
Cylance unsafe
Panda Trj/RnkBend.A
TrendMicro-HouseCall TROJ_GEN.R002C0XGK23
Rising Downloader.Agent!1.E646 (CLASSIC)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/ModiLoader.VW!tr.dldr
AVG Win32:DropperX-gen [Drp]
Cybereason malicious.133d7e
DeepInstinct MALICIOUS