Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 27, 2023, 5:31 p.m.	Sept. 27, 2023, 5:33 p.m.

Size	292.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9fa10337d494e4b832b790bd53352fc4`
SHA256	`4b28a89571ba4324f84c4ae236a7e04f72175377d987c7a66d7c51b79df831ae`
CRC32	`59B9DC1A`
ssdeep	`6144:osehzRFMaxy3iorkQEp42Tg5Y7ow1plyROoBc3TBNEE:orAaxCio0TDkw1OMJ3tNEE`
Yara	Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

clean.exe "C:\Users\test22\AppData\Local\Temp\clean.exe"
2640

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 27, 2023, 5:31 p.m.	stacktrace: TF_CreateCategoryMgr+0x173 TF_GetInputScope-0x19c msctf+0x13c6a @ 0x75a93c6a TF_CreateCategoryMgr+0x119 TF_GetInputScope-0x1f6 msctf+0x13c10 @ 0x75a93c10 CtfImeInquireExW+0x138 TF_CreateCategoryMgr-0xfa6 msctf+0x12b51 @ 0x75a92b51 CtfImeInquireExW+0x380 TF_CreateCategoryMgr-0xd5e msctf+0x12d99 @ 0x75a92d99 CtfImeInquireExW+0x354 TF_CreateCategoryMgr-0xd8a msctf+0x12d6d @ 0x75a92d6d CtfImeInquireExW+0x328 TF_CreateCategoryMgr-0xdb6 msctf+0x12d41 @ 0x75a92d41 TF_CreateCategoryMgr+0x14a TF_GetInputScope-0x1c5 msctf+0x13c41 @ 0x75a93c41 TF_CreateCategoryMgr+0x1ff TF_GetInputScope-0x110 msctf+0x13cf6 @ 0x75a93cf6 CtfImeAssociateFocus+0x133 TF_GetThreadFlags-0x584 msctf+0x540b @ 0x75a8540b CtfImeAssociateFocus+0x34 TF_GetThreadFlags-0x683 msctf+0x530c @ 0x75a8530c ImmSetActiveContext+0x9d CtfImmGetTMAEFlags-0xaa imm32+0x122e3 @ 0x759d22e3 CreateWindowExA+0x7b9 LoadCursorA-0xee user32+0x1d9e7 @ 0x7585d9e7 UnregisterClassW+0xe75 LoadIconW-0x349 user32+0x1adf9 @ 0x7585adf9 ReleaseDC+0x172 CharLowerBuffW-0x53 user32+0x175b8 @ 0x758575b8 ReleaseDC+0x1a7 CharLowerBuffW-0x1e user32+0x175ed @ 0x758575ed gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75856de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75856e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x76f2011a clean+0x53de @ 0x10053de gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetCursor+0x2ff DrawStateW-0x265 user32+0x3f9df @ 0x7587f9df GetCursor+0xa4 DrawStateW-0x4c0 user32+0x3f784 @ 0x7587f784 DrawTextExA+0xd4 CreateDialogIndirectParamA-0x7d user32+0x2afac @ 0x7586afac gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7585965e SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x7588206f DialogBoxIndirectParamAorW+0xf7 SetDlgItemTextW-0x55 user32+0x3cf4b @ 0x7587cf4b DialogBoxIndirectParamAorW+0x36 SetDlgItemTextW-0x116 user32+0x3ce8a @ 0x7587ce8a DialogBoxIndirectParamA+0x1b CreateCursor-0x9 user32+0x5ce7f @ 0x7589ce7f clean+0x4380 @ 0x1004380 clean+0x54df @ 0x10054df clean+0x5d00 @ 0x1005d00 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 43 3b 5e 08 0f 8d 06 82 fe ff eb db 8b exception.symbol: CtfImeIsIME+0x2113 DllUnregisterServer-0x10fc3 msctf+0x2baa2 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 178850 exception.address: 0x75aabaa2 registers.esp: 848972 registers.edi: 2248592 registers.eax: 15632920 registers.ebp: 849008 registers.edx: 848988 registers.ebx: 0 registers.esi: 2248804 registers.ecx: 1923241916	1	0	0
__exception__ Sept. 27, 2023, 5:31 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7587cdfd DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7587cf5c DialogBoxIndirectParamAorW+0x36 SetDlgItemTextW-0x116 user32+0x3ce8a @ 0x7587ce8a DialogBoxIndirectParamA+0x1b CreateCursor-0x9 user32+0x5ce7f @ 0x7589ce7f clean+0x4380 @ 0x1004380 clean+0x54df @ 0x10054df clean+0x5d00 @ 0x1005d00 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x72a63c8c registers.esp: 850940 registers.edi: 0 registers.eax: 1923497100 registers.ebp: 850980 registers.edx: 0 registers.ebx: 0 registers.esi: 1923497100 registers.ecx: 5573992	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 27, 2023, 5:31 p.m.

stacktrace:

TF_CreateCategoryMgr+0x173 TF_GetInputScope-0x19c msctf+0x13c6a @ 0x75a93c6a
TF_CreateCategoryMgr+0x119 TF_GetInputScope-0x1f6 msctf+0x13c10 @ 0x75a93c10
CtfImeInquireExW+0x138 TF_CreateCategoryMgr-0xfa6 msctf+0x12b51 @ 0x75a92b51
CtfImeInquireExW+0x380 TF_CreateCategoryMgr-0xd5e msctf+0x12d99 @ 0x75a92d99
CtfImeInquireExW+0x354 TF_CreateCategoryMgr-0xd8a msctf+0x12d6d @ 0x75a92d6d
CtfImeInquireExW+0x328 TF_CreateCategoryMgr-0xdb6 msctf+0x12d41 @ 0x75a92d41
TF_CreateCategoryMgr+0x14a TF_GetInputScope-0x1c5 msctf+0x13c41 @ 0x75a93c41
TF_CreateCategoryMgr+0x1ff TF_GetInputScope-0x110 msctf+0x13cf6 @ 0x75a93cf6
CtfImeAssociateFocus+0x133 TF_GetThreadFlags-0x584 msctf+0x540b @ 0x75a8540b
CtfImeAssociateFocus+0x34 TF_GetThreadFlags-0x683 msctf+0x530c @ 0x75a8530c
ImmSetActiveContext+0x9d CtfImmGetTMAEFlags-0xaa imm32+0x122e3 @ 0x759d22e3
CreateWindowExA+0x7b9 LoadCursorA-0xee user32+0x1d9e7 @ 0x7585d9e7
UnregisterClassW+0xe75 LoadIconW-0x349 user32+0x1adf9 @ 0x7585adf9
ReleaseDC+0x172 CharLowerBuffW-0x53 user32+0x175b8 @ 0x758575b8
ReleaseDC+0x1a7 CharLowerBuffW-0x1e user32+0x175ed @ 0x758575ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75856de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75856e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x76f2011a
clean+0x53de @ 0x10053de
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetCursor+0x2ff DrawStateW-0x265 user32+0x3f9df @ 0x7587f9df
GetCursor+0xa4 DrawStateW-0x4c0 user32+0x3f784 @ 0x7587f784
DrawTextExA+0xd4 CreateDialogIndirectParamA-0x7d user32+0x2afac @ 0x7586afac
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7585965e
SetKeyboardState+0xbbd CliImmSetHotKey-0x12c9e user32+0x4206f @ 0x7588206f
DialogBoxIndirectParamAorW+0xf7 SetDlgItemTextW-0x55 user32+0x3cf4b @ 0x7587cf4b
DialogBoxIndirectParamAorW+0x36 SetDlgItemTextW-0x116 user32+0x3ce8a @ 0x7587ce8a
DialogBoxIndirectParamA+0x1b CreateCursor-0x9 user32+0x5ce7f @ 0x7589ce7f
clean+0x4380 @ 0x1004380
clean+0x54df @ 0x10054df
clean+0x5d00 @ 0x1005d00
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 43 3b 5e 08 0f 8d 06 82 fe ff eb db 8b
exception.symbol: CtfImeIsIME+0x2113 DllUnregisterServer-0x10fc3 msctf+0x2baa2
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 178850
exception.address: 0x75aabaa2
registers.esp: 848972
registers.edi: 2248592
registers.eax: 15632920
registers.ebp: 849008
registers.edx: 848988
registers.ebx: 0
registers.esi: 2248804
registers.ecx: 1923241916

__exception__

Sept. 27, 2023, 5:31 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
DialogBoxIndirectParamW+0x20a DialogBoxIndirectParamAorW-0x57 user32+0x3cdfd @ 0x7587cdfd
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7587cf5c
DialogBoxIndirectParamAorW+0x36 SetDlgItemTextW-0x116 user32+0x3ce8a @ 0x7587ce8a
DialogBoxIndirectParamA+0x1b CreateCursor-0x9 user32+0x5ce7f @ 0x7589ce7f
clean+0x4380 @ 0x1004380
clean+0x54df @ 0x10054df
clean+0x5d00 @ 0x1005d00
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x72a63c8c
registers.esp: 850940
registers.edi: 0
registers.eax: 1923497100
registers.ebp: 850980
registers.edx: 0
registers.ebx: 0
registers.esi: 1923497100
registers.ecx: 5573992

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 27, 2023, 5:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b71000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 27, 2023, 5:31 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Sept. 27, 2023, 5:31 p.m.	number_of_free_clusters: 3252567 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceW Sept. 27, 2023, 5:31 p.m.	number_of_free_clusters: 3252567 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

APEX	Malicious
Rising	Trojan.Generic@AI.82 (RDML:ghqO4y8+S0gukFIfWfS1BQ)
Trapmine	malicious.moderate.ml.score
MaxSecure	Trojan.Malware.300983.susgen

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0003fa00', u'virtual_address': u'0x0000c000', u'entropy': 7.85433678459445, u'name': u'.rsrc', u'virtual_size': u'0x0003f9d0'}

entropy

7.85433678459

description

A section with a high entropy has been found

entropy

0.873070325901

description

Overall entropy of this PE file is high

clean.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All