popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

qr.png

UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 22, 2023, 9:41 p.m. July 22, 2023, 9:50 p.m.
Size 950.6KB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 07ecd12de259e62383d687d8eac0b089
SHA256 e01e05a89153f718942abf535480ac1d7f311a30f342c571e4c0d42f4785aa61
CRC32 309983FE
ssdeep 24576:BUNa3MUnPbWsANXdgEm2vEP9WlkQyOUkiZ9zkRP:BXXSnNNPsVWlkQVUkiZ9zkRP
Yara
  • UPX_Zero - UPX packed file
  • IsPE64 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
strtol+0xcd __C_specific_handler-0x2af ntdll+0x1825d @ 0x76d4825d
RtlFindActivationContextSectionString+0x123 RtlDosApplyFileIsolationRedirection_Ustr-0x5ed ntdll+0x588a3 @ 0x76d888a3
RtlFindActivationContextSectionString+0x5b6 RtlDosApplyFileIsolationRedirection_Ustr-0x15a ntdll+0x58d36 @ 0x76d88d36
RtlDosApplyFileIsolationRedirection_Ustr+0x2cb LdrGetDllHandle-0x445 ntdll+0x5915b @ 0x76d8915b
RtlDosApplyFileIsolationRedirection_Ustr+0x478 LdrGetDllHandle-0x298 ntdll+0x59308 @ 0x76d89308
LdrLoadDll+0x1c8 RtlOpenCurrentUser-0x318 ntdll+0x27c58 @ 0x76d57c58
LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x76d57b2e
New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7398f9f8
LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd4fa05c
LoadLibraryExA+0x51 TlsFree-0x1cf kernelbase+0xd0f1 @ 0x7fefd4fd0f1
LoadLibraryA+0x34 GetVersionExA-0x1c kernel32+0x170a4 @ 0x76c270a4
0x75710c
0x7fffffdf250
qr+0x0 @ 0x400000
0x197a60
0x75710c
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006

exception.instruction_r: 48 8b 73 18 48 85 f6 0f 84 e7 f9 03 00 89 6f 14
exception.symbol: strtol+0xcd __C_specific_handler-0x2af ntdll+0x1825d
exception.instruction: mov rsi, qword ptr [rbx + 0x18]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 98909
exception.address: 0x76d4825d
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 7077927
registers.r10: 1669144
registers.rbx: 4194304
registers.rsp: 1671144
registers.r11: 1669016
registers.r8: 1668516
registers.r9: 1668536
registers.rdx: 1668520
registers.r12: 5344
registers.rbp: 1672376
registers.rdi: 7078010
registers.rax: 1672464
registers.r13: 8
1 0 0

__exception__

 stacktrace: 
atol+0x62 qsort-0x202 ntdll+0x664e @ 0x76d3664e
MD5Final+0x635 TpDbgSetLogRoutine-0xff9b ntdll+0x92c05 @ 0x76dc2c05
RtlUnwindEx+0x4f3 RtlRaiseException-0xa7d ntdll+0x18ae3 @ 0x76d48ae3
RtlDecodePointer+0x13d NtdllDefWindowProc_W-0x131f ntdll+0x29d8d @ 0x76d59d8d
RtlUnwindEx+0x43c RtlRaiseException-0xb34 ntdll+0x18a2c @ 0x76d48a2c
VerSetConditionMask+0x7f4 DbgPrint-0xcc ntdll+0x157c4 @ 0x76d457c4
RtlDecodePointer+0xbd NtdllDefWindowProc_W-0x139f ntdll+0x29d0d @ 0x76d59d0d
RtlUnwindEx+0xbbf RtlRaiseException-0x3b1 ntdll+0x191af @ 0x76d491af
New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1
KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278
strtol+0xcd __C_specific_handler-0x2af ntdll+0x1825d @ 0x76d4825d
RtlFindActivationContextSectionString+0x123 RtlDosApplyFileIsolationRedirection_Ustr-0x5ed ntdll+0x588a3 @ 0x76d888a3
RtlFindActivationContextSectionString+0x5b6 RtlDosApplyFileIsolationRedirection_Ustr-0x15a ntdll+0x58d36 @ 0x76d88d36
RtlDosApplyFileIsolationRedirection_Ustr+0x2cb LdrGetDllHandle-0x445 ntdll+0x5915b @ 0x76d8915b
RtlDosApplyFileIsolationRedirection_Ustr+0x478 LdrGetDllHandle-0x298 ntdll+0x59308 @ 0x76d89308
LdrLoadDll+0x1c8 RtlOpenCurrentUser-0x318 ntdll+0x27c58 @ 0x76d57c58
LdrLoadDll+0x9e RtlOpenCurrentUser-0x442 ntdll+0x27b2e @ 0x76d57b2e
New_ntdll_LdrLoadDll+0xaf New_ntdll_LdrUnloadDll-0xd9 @ 0x7398f9f8
LoadLibraryExW+0x19c FreeSid-0xa4 kernelbase+0xa05c @ 0x7fefd4fa05c
LoadLibraryExA+0x51 TlsFree-0x1cf kernelbase+0xd0f1 @ 0x7fefd4fd0f1
LoadLibraryA+0x34 GetVersionExA-0x1c kernel32+0x170a4 @ 0x76c270a4
0x75710c
0x7fffffdf250
qr+0x0 @ 0x400000
0x197a60
0x75710c
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006
0x97006

exception.instruction_r: 8b 01 85 c0 0f 8e 35 1a 02 00 3d ff ff ff 7f 0f
exception.symbol: atol+0x62 qsort-0x202 ntdll+0x664e
exception.instruction: mov eax, dword ptr [rcx]
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 26190
exception.address: 0x76d3664e
registers.r14: 0
registers.r15: 0
registers.rcx: -4294967296
registers.rsi: 7077927
registers.r10: 1993639180
registers.rbx: 4194304
registers.rsp: 1671144
registers.r11: 1662216
registers.r8: 32
registers.r9: 1662416
registers.rdx: 1672464
registers.r12: 5344
registers.rbp: 1672376
registers.rdi: 7078010
registers.rax: -4294967297
registers.r13: 8
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 622592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000006c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 622592
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000400000
process_handle: 0xffffffffffffffff
1 0 0
section {u'size_of_data': u'0x00097c00', u'virtual_address': u'0x00004000', u'entropy': 7.936098150996121, u'name': u'.rdata', u'virtual_size': u'0x00097a70'} entropy 7.936098151 description A section with a high entropy has been found
entropy 0.667399670148 description Overall entropy of this PE file is high
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.68288510
FireEye Generic.mg.07ecd12de259e623
Malwarebytes Malware.AI.1255799222
Sangfor Trojan.Win64.Cobaltstrike.V4xc
Cybereason malicious.a774eb
Cyren W64/ABRisk.IYHJ-1625
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/GenKryptik.GEGB
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky Trojan.Win32.CobaltStrike.czq
BitDefender Trojan.GenericKD.68288510
Avast Win64:HacktoolX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Msmw
Emsisoft Trojan.GenericKD.68288811 (B)
F-Secure Trojan.TR/Crypt.EPACK.Gen2
DrWeb BackDoor.Meterpreter.157
TrendMicro Backdoor.Win64.COBEACON.YXDGUZ
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Avira TR/Crypt.EPACK.Gen2
MAX malware (ai score=80)
Microsoft Trojan:Win64/CobaltStrike.AU!MTB
Gridinsoft Trojan.Win64.CobaltStrike.bot
Arcabit Trojan.Generic.D412012B
ZoneAlarm Trojan.Win32.CobaltStrike.czq
GData Win32.Malware.CobalStrike.VU3Y2S
Google Detected
AhnLab-V3 Malware/Win.Generic.C5459076
McAfee Artemis!07ECD12DE259
Cylance unsafe
TrendMicro-HouseCall Backdoor.Win64.COBEACON.YXDGUZ
Rising Trojan.Meterpreter!8.E532 (TFE:5:GfPDmvfR3RE)
Ikarus Trojan.Rozena
Fortinet W64/GenKryptik.GEGB!tr
AVG Win64:HacktoolX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)