Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 4, 2024, 4:34 p.m.	Feb. 4, 2024, 4:36 p.m.

Size	6.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`95e59305ad61119cf15ee95562bd05ba`
SHA256	`dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19`
CRC32	`5326C0C1`
ssdeep	`98304:luEqDCBNZBMoC5QnwpByzJYdahsJSktiFB3nCh3UUcRvbL6wXKhVEHsRMYC+dR/o:lwC7MRpY1Y3JKFVCh36L6vIpYC+dl4l`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file

osminogs.exe "C:\Users\test22\AppData\Local\Temp\osminogs.exe"
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.ptt\xc5\x92\xc3\x96
section	.\xc3\x98\xc3\xb5[\xe2\x80

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TYPELIB

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 4, 2024, 4:34 p.m.	stacktrace: 0x39000c osminogs+0x51954 @ 0xa61954 osminogs+0x17c63 @ 0xa27c63 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 83 46 08 ff 75 23 53 57 8d 7e 04 c7 46 0c 00 00 exception.instruction: add dword ptr [esi + 8], -1 exception.exception_code: 0xc0000005 exception.symbol: RtlLeaveCriticalSection+0x9 RtlEnterCriticalSection-0x37 exception.address: 0x2aa2279 registers.esp: 3667708 registers.edi: 3735568 registers.eax: 39 registers.ebp: 3667712 registers.edx: 44704368 registers.ebx: 3667760 registers.esi: 10894816 registers.ecx: 0	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (7 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00230000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00240000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00250000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00260000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00380000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 4, 2024, 4:34 p.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00390000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x005cae00', u'virtual_address': u'0x00560000', u'entropy': 7.990208851252749, u'name': u'.\\xc3\\x98\\xc3\\xb5[\\xe2\\x80', u'virtual_size': u'0x005cad90'}

entropy

7.99020885125

description

A section with a high entropy has been found

entropy

0.969199346405

description

Overall entropy of this PE file is high

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Lumma.i!c
Cynet	Malicious (score: 100)
Skyhigh	Artemis!Trojan
Cylance	unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.da9609
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/GenCBL.EFG
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Generic@AI.95 (RDML:UL5dLiIY7jSgNIvOFEUZ6w)
BitDefenderTheta	Gen:NN.ZexaF.36744.@R1@ayxmrOei
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.95e59305ad61119c
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Google	Detected
Gridinsoft	Trojan.Heur!.00210201
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
McAfee	Artemis!95E59305AD61
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

osminogs.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All