popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Compiled.exe

Malicious Library Admin Tool (Sysinternals etc ...) UPX Malicious Packer MZP Format PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 7, 2023, 4:13 p.m. Oct. 7, 2023, 4:18 p.m.
Size 3.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 19b2d98085a534439812011db7186839
SHA256 1c38cbd5eeae097261fa990e266f228073aae1731691d29ff69526f376f4f811
CRC32 91637C0B
ssdeep 49152:g8Y1DL0EY2iMG9FTdjSW0IUg1AicUQ0YkCF7qRbFC:gr5L0EBaQ0YvIDC
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • Malicious_Packer_Zero - Malicious Packer
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • mzp_file_format - MZP(Delphi) file format
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
lan.persianremote.world
A 195.85.201.36
195.85.201.36
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
172.67.75.163
IP Address Status Action
104.26.8.59 Active Moloch
164.124.101.2 Active Moloch
195.85.201.36 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 104.26.8.59:80 2031188 ET POLICY IP Check (myip .com) Potential Corporate Privacy Violation
TCP 192.168.56.103:49161 -> 104.26.8.59:80 2003492 ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 104.26.8.59:80 2031188 ET POLICY IP Check (myip .com) Potential Corporate Privacy Violation
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2027870 ET INFO Observed DNS Query to .world TLD Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: WARNING: Task may not run because /ST is earlier than current time.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "Persian" has successfully been created.
console_handle: 0x00000007
1 1 0
section .itext
section .didata
request GET http://api.myip.com/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
cmdline "C:\Windows\System32\cmd.exe" /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline cmd.exe /C attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
cmdline "C:\Windows\System32\cmd.exe" /C attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
cmdline cmd.exe /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /C attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
filepath: cmd.exe
1 1 0
cmdline "C:\Windows\System32\cmd.exe" /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline cmd.exe /C attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
cmdline "C:\Windows\System32\cmd.exe" /C attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
cmdline cmd.exe /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline attrib +h +s C:\Users\test22\AppData\Local\Temp\Compiled.exe
cmdline "C:\Windows\System32\cmd.exe" /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline cmd.exe /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline "C:\Windows\System32\cmd.exe" /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline cmd.exe /C schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
cmdline schtasks /create /tn "Persian" /tr "C:\Users\test22\AppData\Local\Temp\Compiled.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x00ee0f7c
function_name: wine_get_version
module: ntdll
module_address: 0x778a0000
3221225785 0
Bkav W32.AIDetectMalware
DrWeb Trojan.DownLoader46.22336
MicroWorld-eScan Trojan.GenericKD.69589757
FireEye Trojan.GenericKD.69589757
Skyhigh Artemis!PUP
ALYac Trojan.GenericKD.69590726
Malwarebytes Trojan.Crypt
Sangfor Trojan.Win32.Agent.Vh5j
Arcabit Trojan.Generic.D425DEC6
BitDefenderTheta Gen:NN.ZelphiF.36738.eV0@auNQcxhi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Delf.VAK
Cynet Malicious (score: 100)
APEX Malicious
BitDefender Trojan.GenericKD.69589757
Avast Win32:AdwareX-gen [Adw]
Emsisoft Trojan.GenericKD.69589757 (B)
F-Secure Trojan.TR/AD.Nekark.dbxkd
Sophos Generic Reputation PUA (PUA)
Avira TR/AD.Nekark.dbxkd
Antiy-AVL Trojan/Win32.Delf
Gridinsoft Malware.Win32.Downloader.cc
Microsoft Trojan:Win32/Wacatac.B!ml
GData Trojan.GenericKD.69589757
Google Detected
McAfee Artemis!19B2D98085A5
MAX malware (ai score=81)
Cylance unsafe
Rising Trojan.Generic@AI.100 (RDML:RMroeE47vw9SVcWcNjNwUw)
Ikarus Trojan.Win32.Delf
Fortinet Riskware/Delf
AVG Win32:AdwareX-gen [Adw]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_60% (W)