popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dv4o7f8.exe

Malicious Library UPX ScreenShot AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 12, 2023, 9:12 a.m. Sept. 12, 2023, 9:19 a.m.
Size 910.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 86aec1d77c3b004c38d5ee246499728c
SHA256 eaa4f4d4e90b308f6cda183dcaef8be9b8fa85404aa2635e8457d0a36bf7e46d
CRC32 6B32AFAC
ssdeep 24576:BlG682grdGA/7+AVkIk3T06zFrZi7rDh:w2grdGAz+KkzBFqDh
PDB Path C:\A10\lkbi65k8ttso\output.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

pdb_path C:\A10\lkbi65k8ttso\output.pdb
section .textbss
section .cons
section .00cfg
packer Microsoft Visual C++ V8.0 (Debug)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
vbc+0xb5eb @ 0xbb5eb
vbc+0x46d7 @ 0xb46d7
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x600fff
registers.esp: 7666780
registers.edi: 7666984
registers.eax: 7666852
registers.ebp: 7666928
registers.edx: 7666892
registers.ebx: 4294828032
registers.esi: 7667276
registers.ecx: 7666904
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00daa000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 660
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00390000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00600000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
buffer Buffer with sha1: 7f2857fb895f5d7e035c231249e5b4fe08c88831
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer:
base_address: 0xfffde008
process_identifier: 2056
process_handle: 0x00000074
1 1 0
Process injection Process 660 called NtSetContextThread to modify thread in remote process 2056
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 7667436
registers.edi: 0
registers.eax: 738864
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000070
process_identifier: 2056
1 0 0
Process injection Process 660 resumed a thread in remote process 2056
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2056
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
3221225507 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2060
thread_handle: 0x00000070
process_identifier: 2056
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000074
1 1 0

NtGetContextThread

 thread_handle: 0x00000070
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000074
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x000b0000
process_identifier: 2056
process_handle: 0x00000074
1 1 0

WriteProcessMemory

 buffer:
base_address: 0xfffde008
process_identifier: 2056
process_handle: 0x00000074
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 7667436
registers.edi: 0
registers.eax: 738864
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000070
process_identifier: 2056
1 0 0

NtResumeThread

 thread_handle: 0x00000070
suspend_count: 1
process_identifier: 2056
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Gen:Variant.Zusy.488402
Cylance unsafe
Sangfor Trojan.Win32.Kryptik.Vv7y
K7AntiVirus Trojan ( 005aaa221 )
Alibaba Trojan:Win32/Kryptik.e7d87d37
K7GW Trojan ( 005aaa221 )
Cyren W32/Kryptik.KPY.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Kryptik.HUBU
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Backdoor.Win32.Agent.gen
BitDefender Gen:Variant.Zusy.488402
Avast Win32:CrypterX-gen [Trj]
Emsisoft Gen:Variant.Zusy.488402 (B)
DrWeb Trojan.PWS.Siggen3.33599
McAfee-GW-Edition BehavesLike.Win32.Generic.dm
FireEye Gen:Variant.Zusy.488402
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
GData Gen:Variant.Zusy.488402
Webroot W32.Malware.Gen
Gridinsoft Malware.Win32.Gen.bot
Arcabit Trojan.Zusy.D773D2
ZoneAlarm HEUR:Backdoor.Win32.Agent.gen
Microsoft Trojan:Win32/Phoenix.RPY!MTB
Google Detected
AhnLab-V3 Trojan/Win.CrypterX-gen.R604819
McAfee Artemis!86AEC1D77C3B
MAX malware (ai score=87)
VBA32 BScope.TrojanPSW.RedLine
Malwarebytes Spyware.RedLineStealer
Panda Trj/Genetic.gen
Rising Backdoor.Agent!8.C5D (TFE:1:z9fFArxVnvF)
Ikarus Trojan.Win32.Redline
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Kryptik.HUBU!tr
BitDefenderTheta Gen:NN.ZexaE.36662.4KW@aun3q5o
AVG Win32:CrypterX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)