popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

winlog.exe

MPRESS UPX PE64 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 4, 2023, 7:38 a.m. Sept. 4, 2023, 7:43 a.m.
Size 3.5MB
Type MS-DOS executable, MZ for MS-DOS
MD5 062fe47e8efc9041880ed273eda7c8f3
SHA256 589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
CRC32 5467FBB4
ssdeep 98304:Qs1IP7M+tBbnp5KsWEjGnT6iWB7cXWvdeMl+0WyC6oxgfMapH:VoA+3n7KsWEQTUqX8dedyXw2pH
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • MPRESS_Zero - MPRESS packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .MPRESS1
section .MPRESS2
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x77710895
stacktrace+0x84 memdup-0x1af @ 0x749a0470
hook_in_monitor+0x45 lde-0x133 @ 0x749942ea
New_ntdll_NtProtectVirtualMemory+0x34 New_ntdll_NtQueryAttributesFile-0x151 @ 0x749b3603
VirtualProtectEx+0x33 MapViewOfFile-0x2d kernelbase+0x13243 @ 0x7fefdc03243
VirtualProtect+0x1b VirtualProtectEx-0x15 kernelbase+0x131fb @ 0x7fefdc031fb
winlog+0x1fcb05 @ 0xeecb05
GetProcessAffinityMask+0x80 SetThreadContext-0x20 kernel32+0x2ef0 @ 0x76fc2ef0
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff
0x891fff

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x77710895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 4190120
registers.rsi: 22556672
registers.r10: 0
registers.rbx: 1996238576
registers.rsp: 4192376
registers.r11: 514
registers.r8: 64
registers.r9: 4
registers.rdx: 4191464
registers.r12: 0
registers.rbp: 0
registers.rdi: 13566319
registers.rax: 4189800
registers.r13: 0
1 0 0
section {u'size_of_data': u'0x00375600', u'virtual_address': u'0x00001000', u'entropy': 7.999955213140067, u'name': u'.MPRESS1', u'virtual_size': u'0x00893000'} entropy 7.99995521314 description A section with a high entropy has been found
entropy 0.996623047699 description Overall entropy of this PE file is high
Bkav W32.AIDetectMalware.64
Lionic Trojan.Win32.ClipBanker.Z!c
MicroWorld-eScan Trojan.GenericKD.69074924
FireEye Generic.mg.062fe47e8efc9041
McAfee Artemis!062FE47E8EFC
Cylance unsafe
Sangfor Banker.Win32.Gencbl.Vqjd
Alibaba TrojanBanker:Win32/ClipBanker.18e030b7
Cybereason malicious.5fce64
Arcabit Trojan.Generic.D41DFFEC
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/GenCBL.DHF
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky Trojan-Banker.Win32.ClipBanker.zgk
BitDefender Trojan.GenericKD.69074924
Avast Win64:BankerX-gen [Trj]
Tencent Win32.Trojan.FalseSign.Ywhl
Emsisoft Trojan.GenericKD.69074924 (B)
F-Secure Trojan.TR/Spy.Banker.zmjem
VIPRE Trojan.GenericKD.69074924
TrendMicro Trojan.Win64.AMADEY.YXDIAZ
McAfee-GW-Edition Artemis!Trojan
Trapmine malicious.high.ml.score
Sophos Mal/Generic-S
Avira TR/Spy.Banker.zmjem
Gridinsoft Malware.Win64.Laplas.bot
Microsoft Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm Trojan-Banker.Win32.ClipBanker.zgk
GData Trojan.GenericKD.69074924
AhnLab-V3 Trojan/Win.Generic.R596268
ALYac Trojan.GenericKD.69074924
MAX malware (ai score=80)
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win64.AMADEY.YXDIAZ
Rising Trojan.GenCBL!8.12138 (CLOUD)
Ikarus Trojan-Spy.LaplasClipper
AVG Win64:BankerX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_90% (W)