Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 21, 2023, 10:26 a.m.	Sept. 21, 2023, 10:29 a.m.

Size	1.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`047324921fcd5ca64134a367d389e900`
SHA256	`34a8af0af0e818443b87f59fcbb5c10af500f1b45c9b3d1e7d6aecc494d009f5`
CRC32	`D40F3418`
ssdeep	`12288:eo1mZWdG+Q25wOymUo04zNbv/dY/gmfXJJG2uZX8H5ZravCBhOX:e0pG+F53ycRVv/eIKGfZX8H5tav6s`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format

Akjnagosfmwanr.exe "C:\Users\test22\AppData\Local\Temp\Akjnagosfmwanr.exe"
1880

Name	Response	Post-Analysis Lookup
wedhstinwell.online

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 21, 2023, 10:27 a.m.	stacktrace: 0x2f87672 0x2f876a5 0x2f875c0 0x2f7e46c 0x2f8fbe6 0x2f97ec4 DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x73333af0 timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7333a535 timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7333a434 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 333439540 registers.edi: 1 registers.eax: 333439540 registers.ebp: 333439620 registers.edx: 0 registers.ebx: 333441344 registers.esi: 332312976 registers.ecx: 7	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 62 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 399999996 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406bb4 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 399999996 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406bb4 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 399999996 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406bb4 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 399999996 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406bb4 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 399999996 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406bb4 process_handle: 0xffffffff		3221225496
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752169d5 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75216426 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75219c4f process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fb1195 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa1177 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fb1159 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa647a process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f85cb4 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72faa712 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477
NtProtectVirtualMemory Sept. 21, 2023, 10:27 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225477

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 21, 2023, 10:26 a.m.	process_identifier: 1880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02f71000 process_handle: 0xffffffff	1	0	0

File has been identified by 44 AntiVirus engines on VirusTotal as malicious (44 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Noon.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Zusy.491193
FireEye	Generic.mg.047324921fcd5ca6
McAfee	Artemis!047324921FCD
Malwarebytes	Trojan.MalPack.DLF
Sangfor	Trojan.Win32.Save.a
Alibaba	TrojanSpy:Win32/ModiLoader.e52a7897
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Strictor.D44EA2
VirIT	Trojan.Win32.PSWStealer.DTO
Cyren	W32/ModiLoader.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.ModiLoader.WW
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Trojan-Spy.Win32.Noon.bewy
BitDefender	Gen:Variant.Zusy.491193
Avast	Win32:DropperX-gen [Drp]
Emsisoft	Gen:Variant.Zusy.491193 (B)
DrWeb	Trojan.DownLoader46.2190
McAfee-GW-Edition	BehavesLike.Win32.Worm.th
Sophos	Mal/Generic-S
Jiangmin	TrojanSpy.Noon.teg
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan[Downloader]/Win32.Delf
Microsoft	Trojan:Win32/ModiLoader.RVC!MTB
ViRobot	Trojan.Win.Z.Modiloader.1134592.A
ZoneAlarm	Trojan-Spy.Win32.Noon.bewy
GData	Gen:Variant.Zusy.491193
Google	Detected
AhnLab-V3	Trojan/Win.Remcos.R570879
VBA32	TScope.Trojan.Delf
MAX	malware (ai score=84)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Downloader.Agent!1.E646 (CLASSIC)
Ikarus	Trojan.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Formbook.AA!tr
AVG	Win32:DropperX-gen [Drp]
Cybereason	malicious.b39322
DeepInstinct	MALICIOUS

Akjnagosfmwanr.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All