popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

11.exe

Emotet Malicious Library UPX Malicious Packer PE File DLL OS Processor Check BMP Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 12, 2024, 7:55 a.m. Jan. 12, 2024, 8 a.m.
Size 7.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2f1d3f866fde60fc8337a92dce82e15b
SHA256 b86925369c2833010ca7b6d0f0b6711ab2c9ab6b54ab9742e56865e6217acf37
CRC32 892FC713
ssdeep 196608:+WC1nvP5zdP5zwxtqabDz+i771WCXnGmFCh1wv5fmz0S:on5d5z4Dz+iX7nFsh1+TS
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
laoqianppp.com
A 156.251.17.97
156.251.17.97
IP Address Status Action
156.251.17.97 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49170 -> 156.251.17.97:8000 2260003 SURICATA Applayer Protocol detection skipped Generic Protocol Command Decode
TCP 192.168.56.101:49169 -> 156.251.17.97:80 2007994 ET HUNTING Suspicious Empty User-Agent Unknown Traffic
TCP 156.251.17.97:80 -> 192.168.56.101:49169 2045860 ET HUNTING Rejetto HTTP File Sever Response A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name None
request GET http://laoqianppp.com/97.bin
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2676
region_size: 389120
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x033c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1310720
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 282624
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10141000
process_handle: 0xffffffff
1 0 0
description NXYBankAssist.exe tried to sleep 147 seconds, actually delayed analysis time by 147 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13315059712
free_bytes_available: 13315059712
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13305987072
free_bytes_available: 13305987072
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009af7c size 0x00000134
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009b168 size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0009b168 size 0x00000144
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0134 size 0x00000034
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0aac size 0x00000030
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0c04 size 0x00000014
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0c04 size 0x00000014
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0c04 size 0x00000014
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000a0c04 size 0x00000014
file C:\Users\Public\Videos\NXYBankAssist.exe
file C:\Users\Public\Videos\TslGame_BE.exe
file C:\Windows\System32\Ying-UnInstall.exe
file C:\Users\Public\Videos\res\TslGame_BE.exe
file C:\Users\Public\Videos\res\WDAlg.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000f0
process_name: 11.exe
process_identifier: 2536
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2676
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x03230000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0

Process32NextW

 snapshot_handle: 0x00000420
process_name: NXYBankAssist.exe
process_identifier: 2676
0 0
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\97 1.0
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x000f003f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\97 1.0
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000374
options: 0
access: 0x00020006
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\97 1.0
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020006
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\97 1.0
2 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000378
options: 0
access: 0x00020006
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0
process: potential process injection target explorer.exe
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (moderate confidence)
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Dropper.wc
McAfee Artemis!2F1D3F866FDE
Cylance unsafe
Sangfor Trojan.Win32.Agent.V99r
K7AntiVirus Trojan ( 005176e51 )
K7GW Trojan ( 005176e51 )
Symantec ML.Attribute.HighConfidence
Avast FileRepMalware [Rat]
Kaspersky UDS:DangerousObject.Multi.Generic
NANO-Antivirus Trojan.Win32.Drop.dinehq
Rising Trojan.Generic@AI.100 (RDML:iTy7jic+F6yKT4aJH9hvzg)
DrWeb Trojan.MulDrop8.1933
Sophos Mal/Generic-S
Ikarus Trojan.Qhost
Webroot W32.Zenpak
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
Varist W32/Injector.HYBK-2100
DeepInstinct MALICIOUS
VBA32 Trojan.MulDrop
Malwarebytes Generic.Malware/Suspicious
Fortinet W32/Injector.ERQG!tr
AVG FileRepMalware [Rat]