popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

55aa5e.exe

Emotet Malicious Library UPX VMProtect PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 21, 2023, 10:16 a.m. Sept. 21, 2023, 10:19 a.m.
Size 6.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 56c197e493f74f9233a16cdefab3109f
SHA256 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01
CRC32 8FF1D841
ssdeep 98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • VMProtect_Zero - VMProtect packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp0
section .vmp1
section .vmp2
resource name TYPELIB
resource name None
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2104
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00800000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k shutdown -s -t 0
filepath: cmd
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2104
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00800000
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00638e00', u'virtual_address': u'0x00382000', u'entropy': 7.969804323554949, u'name': u'.vmp2', u'virtual_size': u'0x00638c90'} entropy 7.96980432355 description A section with a high entropy has been found
entropy 0.898343320409 description Overall entropy of this PE file is high
cmdline "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
cmdline cmd /k shutdown -s -t 0
cmdline shutdown -s -t 0
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
section .vmp2 description Section name indicates VMProtect
Bkav W32.AIDetectMalware
Malwarebytes Malware.Heuristic.1003
Sangfor Trojan.Win32.Agent.V354
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.36662.@J0@a4h0yuni
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
Rising Stealer.Agent!8.C2 (TFE:5:ARQLZM72JmD)
McAfee-GW-Edition BehavesLike.Win32.Dropper.vc
Trapmine malicious.high.ml.score
FireEye Generic.mg.56c197e493f74f92
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
ZoneAlarm UDS:DangerousObject.Multi.Generic
VBA32 BScope.TrojanPSW.Coins
Cylance unsafe
TrendMicro-HouseCall TROJ_GEN.R002H0DIK23
Cybereason malicious.fd5d88
DeepInstinct MALICIOUS