Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 11, 2023, 7:16 p.m.	Dec. 11, 2023, 7:22 p.m.

Size	314.1KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e1095986637973f78a0a8f38f18b4190`
SHA256	`0d0f108017bef0df57db065e7316acc7bcba737f8f40c3bd5fabdd840ab0c68e`
CRC32	`9DAC90A0`
ssdeep	`6144:dMWXmnOQ0cC+S2tg6f+3P4y5I0ePKp6Qa4ZqIRB7IrEIPvxqj:dMgEkz+3O6fMP4a7QK3FRBcrEIPpqj`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file

tbbhts.exe "C:\Users\test22\AppData\Local\Temp\tbbhts.exe"
184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	.nsp0
section	.nsp1
section	.nsp2

The executable uses a known packer (1 event)

packer

NsPacK V3.7 -> LiuXingPing

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 11, 2023, 7:16 p.m.	stacktrace: tbbhts+0x1187 @ 0x401187 tbbhts+0x1055 @ 0x401055 tbbhts+0x1c8b0 @ 0x41c8b0 tbbhts+0x11f05 @ 0x411f05 exception.instruction_r: f3 a4 5f 5e c3 90 90 90 90 90 90 90 90 90 90 90 exception.symbol: tbbhts+0x1104c exception.instruction: movsb byte ptr es:[edi], byte ptr [esi] exception.module: tbbhts.exe exception.exception_code: 0xc0000005 exception.offset: 69708 exception.address: 0x41104c registers.esp: 1637256 registers.edi: 3226648 registers.eax: 3226640 registers.ebp: 1637576 registers.edx: 2 registers.ebx: 4208144 registers.esi: 2150710272 registers.ecx: 2	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 11, 2023, 7:16 p.m.	process_identifier: 184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (21 events)

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c83d8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c83d8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c83d8

size

0x000000b4

name

RT_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c83d8

size

0x000000b4

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8498

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8498

size

0x00000284

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c8fd8

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c9024

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c9024

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

empty

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000c9024

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ca5c0

size

0x000001fc

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004e499', u'virtual_address': u'0x000ca000', u'entropy': 7.923745002697559, u'name': u'.nsp1', u'virtual_size': u'0x0004f000'}

entropy

7.9237450027

description

A section with a high entropy has been found

entropy

1.0

description

Overall entropy of this PE file is high

File has been identified by 53 AntiVirus engines on VirusTotal as malicious (50 out of 53 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.FlyStudio.4!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.GenericKD.70703934
FireEye	Generic.mg.e1095986637973f7
Skyhigh	BehavesLike.Win32.Generic.fc
Malwarebytes	Trojan.MalPack.NSPack
VIPRE	Trojan.GenericKD.70703934
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Malware:Win32/km_2833d1.None
K7GW	Trojan ( 005257651 )
K7AntiVirus	Trojan ( 005257651 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.FlyStudio.ED
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.70703934
Avast	Win32:Malware-gen
Emsisoft	Trojan.GenericKD.70703934 (B)
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=87)
Webroot	W32.Backdoor.Hupigon
Google	Detected
Varist	W32/Downloader.AT.gen!Eldorado
Antiy-AVL	Trojan/Win32.FlyStudio.a
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Znyonm
Gridinsoft	Malware.Win32.Gen.bot!se22135
Xcitium	TrojWare.Win32.Trojan.NSPM.~gen@20n73t
Arcabit	Trojan.Generic.D436DB3E
ViRobot	Trojan.Win.Z.Flystudio.321689
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.GenericKD.70703934
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.Generic.R626697
BitDefenderTheta	Gen:NN.ZexaF.36608.tmKdaSXoJilb
ALYac	Trojan.GenericKD.70703934
VBA32	BScope.Trojan.Emotet
Cylance	unsafe
Panda	Trj/Chgt.AD
Zoner	Probably Heur.ExeHeaderP
TrendMicro-HouseCall	TROJ_GEN.R002H0CL723
Rising	Downloader.FlyStudio!8.5E9 (CLOUD)
Yandex	Trojan.GenAsa!TQopmUoUkJU
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	W32/IRCBot.DU!tr

tbbhts.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All