Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 3, 2023, 10:19 a.m.	Aug. 3, 2023, 10:25 a.m.

Size	783.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`79e5648312a58377ef76d2346404ef12`
SHA256	`7d537e6551b2b3274942aa184949fda010e0c2a1a5ce9b8a3924f34b6e79ad9e`
CRC32	`366135B3`
ssdeep	`12288:7q9zUX+2NAOdFyglsKMlCbuGg4Ut8wNCPAJFfriiiag72asGS99Spo+:uF8NAOLyglAlCb7gX/NCoziiiXDp`
Yara	UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

Excel.exe "C:\Users\test22\AppData\Local\Temp\Excel.exe"
1880

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (13 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 region_size: 4000 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b75fc allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff		3221225496

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 3, 2023, 10:19 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 151552 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00551000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0005ae00', u'virtual_address': u'0x00059000', u'entropy': 7.490863421492952, u'name': u'.data', u'virtual_size': u'0x0005ac38'}

entropy

7.49086342149

description

A section with a high entropy has been found

entropy

0.464833759591

description

Overall entropy of this PE file is high

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
DrWeb	Trojan.Siggen21.14228
MicroWorld-eScan	Trojan.GenericKD.68486978
McAfee	Artemis!79E5648312A5
Malwarebytes	Trojan.MalPack.DLF
Sangfor	Trojan.Win32.Save.a
Arcabit	Trojan.Generic.D4150742
VirIT	Trojan.Win32.Genus.SMS
Cyren	W32/Trojan.KTST-6792
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.VT
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan-PSW.Win32.Stealer.bqmo
BitDefender	Trojan.GenericKD.68486978
Avast	Win32:DropperX-gen [Drp]
Emsisoft	Trojan.GenericKD.68486978 (B)
F-Secure	Trojan.TR/AD.Nekark.nbrwq
McAfee-GW-Edition	BehavesLike.Win32.ObfuscatedPoly.bc
FireEye	Generic.mg.79e5648312a58377
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Malware.Gen
Avira	TR/AD.Nekark.nbrwq
Antiy-AVL	Trojan[Downloader]/Win32.Modiloader
Gridinsoft	Trojan.Win32.Gen.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	Trojan-PSW.Win32.Stealer.bqmo
GData	Trojan.GenericKD.68486978
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5465046
VBA32	BScope.Backdoor.RmRAT
MAX	malware (ai score=83)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002H0DH223
Rising	Spyware.Noon!8.E7C9 (TFE:4:TINB2tV9JaQ)
Ikarus	Win32.SuspectCrc
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/ModiLoader.VT!tr.dldr
AVG	Win32:DropperX-gen [Drp]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

Excel.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All