popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hola.exe

Malicious Library UPX PNG Format PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 29, 2024, 9:31 a.m. March 29, 2024, 9:39 a.m.
Size 6.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7b91d2784eaef8f79e4d60c1c1145d8b
SHA256 4f76cd6ec7222833969dcad5f71ab7cbddfd3714bc9adda334413c66c2826209
CRC32 B3109D8E
ssdeep 98304:zuwg7O8YO6xtedsiMV6oaNIwkmTFfYURRHbry7/bGaas3RW1PfR/yxkBfPy8Sh:ARdsiAkJQi/y7yzs3RWVfJyxafp
PDB Path C:\Build\JenkinsHome\jobs\desktop_apps_ng\workspace\build\loader\Release\loader.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
pdb_path C:\Build\JenkinsHome\jobs\desktop_apps_ng\workspace\build\loader\Release\loader.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name ASSETS
resource name GIQ
resource name TYPELIB
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00403000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b21000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\mr3660875\loader.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2752
thread_handle: 0x00000134
process_identifier: 2748
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\netsh.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000138
1 1 0
Bkav W32.AIDetectMalware
Kaspersky UDS:DangerousObject.Multi.Generic
Gridinsoft Malware.Win32.Gen.tr
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm UDS:DangerousObject.Multi.Generic
VBA32 BScope.Trojan.Penguish
section {u'size_of_data': u'0x00281800', u'virtual_address': u'0x00095000', u'entropy': 7.8466040524623555, u'name': u'.rsrc', u'virtual_size': u'0x0028175c'} entropy 7.84660405246 description A section with a high entropy has been found
entropy 0.808061722563 description Overall entropy of this PE file is high
cmdline C:\Windows\SysWOW64\netsh.exe
file C:\Users\test22\AppData\Local\Temp\mr3660875\loader.exe:Zone.Identifier