popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

client_x86.exe

UPX Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 12, 2023, 10:23 a.m. Oct. 12, 2023, 10:25 a.m.
Size 2.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2b199211ed7ddd31f0a5f0c651f44457
SHA256 b25cdf0bf1aed73a1245c5269c800bd43728c5bcce6b75b84b9b9c4cc4e75513
CRC32 FB498A6D
ssdeep 49152:nXsGREfMYgHug4kAjZ1/y8HQzz2xrvrdQeCVUrJnCW2bj1gXjRR1rU4:nXorx6tNn1gbb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
apipkg.click
A 104.194.222.123
104.194.222.123
IP Address Status Action
104.194.222.123 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
section .gfids
section Erot\x00\x00t
section .cordie
section .aloise
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fe0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 180224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x032a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000002a8
filepath: C:\Users\test22\AppData\Roaming\Data\Keylog_2023-10-12
desired_access: 0x00100084 (FILE_READ_ATTRIBUTES|FILE_APPEND_DATA|SYNCHRONIZE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Data\Keylog_2023-10-12
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000c0
process_name: pw.exe
process_identifier: 2332
1 1 0

Process32NextW

 snapshot_handle: 0x000000c0
process_name: sdclt.exe
process_identifier: 2388
1 1 0

Process32NextW

 snapshot_handle: 0x000000c0
process_name: schtasks.exe
process_identifier: 2608
1 1 0

Process32NextW

 snapshot_handle: 0x000000c0
process_name: conhost.exe
process_identifier: 2616
1 1 0
DrWeb BackDoor.Rat.457
Symantec ML.Attribute.HighConfidence
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky VHO:Trojan.Win32.Shella.gen
Sophos Generic ML PUA (PUA)
ZoneAlarm VHO:Trojan.Win32.Shella.gen
section {u'size_of_data': u'0x00035c00', u'virtual_address': u'0x001e1000', u'entropy': 7.976469614761051, u'name': u'Erot\\x00\\x00t', u'virtual_size': u'0x00035afd'} entropy 7.97646961476 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000c0
process_name: conhost.exe
process_identifier: 2616
0 0

Process32NextW

 snapshot_handle: 0x000000c4
process_name: conhost.exe
process_identifier: 2616
0 0

Process32NextW

 snapshot_handle: 0x000000c8
process_name: conhost.exe
process_identifier: 2616
0 0

Process32NextW

 snapshot_handle: 0x000000cc
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000d0
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000d4
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000d8
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000dc
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000e0
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000e4
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000e8
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000ec
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000f0
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000f8
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x000000fc
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x00000100
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: client_x86.exe
process_identifier: 2556
0 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: client_x86.exe
process_identifier: 2556
0 0
file C:\Users\test22\AppData\Roaming\webdav.exe.exe:Zone.Identifier