popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dhvedok.exe

HermeticWiper UPX Malicious Library MZP Format PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 28, 2023, 10:22 a.m. July 28, 2023, 10:26 a.m.
Size 4.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f0f5e6f32198fa1837b3090b7fd71fbb
SHA256 b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
CRC32 65E8EBF4
ssdeep 6144:sB5f3YwKrMducTng1RxdBNE8ZOoXzeprQoXwg4kVUm+vL1kXwT/vEVelKh:If3zKrMduNndr3zDepGkVwvhHXEV00
Yara
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • HermeticWiper_Zero - HermeticWiper
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 184
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 184
region_size: 3899392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ff0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 184
region_size: 3899392
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x033b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 184
region_size: 3002368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03a40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 28672
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: ffffffffffff
parameters:
filepath: ffffffffffff
0 0
Bkav W32.Common.96094C9A
Lionic Trojan.Win32.Bsymem.4!c
MicroWorld-eScan Gen:Variant.Zusy.478152
FireEye Gen:Variant.Zusy.478152
ALYac Gen:Variant.Zusy.478152
Cylance unsafe
Sangfor Trojan.Win32.Coroxy.Vdpl
K7AntiVirus Trojan ( 005a93281 )
Alibaba Trojan:Win32/Bsymem.df03e561
K7GW Trojan ( 005a93281 )
Arcabit Trojan.Zusy.D74BC8
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/GenKryptik.GMCW
Cynet Malicious (score: 99)
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Bsymem.gen
BitDefender Gen:Variant.Zusy.478152
ViRobot Trojan.Win.Z.Zusy.4297728
Avast Win32:CrypterX-gen [Trj]
Tencent Malware.Win32.Gencirc.11b4bce1
Emsisoft Gen:Variant.Zusy.478152 (B)
F-Secure Trojan.TR/AD.Coroxy.cjseu
VIPRE Gen:Variant.Zusy.478152
McAfee-GW-Edition BehavesLike.Win32.ObfuscatedPoly.rz
Sophos Mal/Generic-S
Webroot W32.Trojan.Gen
Avira TR/AD.Coroxy.cjseu
MAX malware (ai score=85)
Xcitium Malware@#3kok1b3xb9wgo
Microsoft Trojan:Win32/Coroxy.XY!MTB
ZoneAlarm HEUR:Trojan.Win32.Bsymem.gen
GData Gen:Variant.Zusy.478152
Google Detected
AhnLab-V3 Trojan/Win.CrypterX-gen.R593359
McAfee GenericRXWG-IW!F0F5E6F32198
VBA32 Malware-Cryptor.2LA.gen
Malwarebytes Malware.AI.220396235
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0CGQ23
Rising Trojan.Bsymem!8.FAE7 (TFE:3:NeRRuyY8ThO)
Ikarus Trojan.Win32.Krypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.ETDG!tr
AVG Win32:CrypterX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)