Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2024, 8:03 p.m.	May 18, 2024, 8:05 p.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3aac4627c0904126c45ed250a7dee34e`
SHA256	`744eddd9b4b8158a0ae22a864deb7c5a9741d192b2dc08eeaa54133fe5c328c4`
CRC32	`A8ABB29D`
ssdeep	`24576:qH7t22yv9gVwu4w1v8QWgW2pNX0fqk27NoFo3t4aO78KLHidAp:q4jv91YV8QC2jiqkumct498KLHi`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

49j8t349t83495vj945jfd.exe "C:\Users\test22\AppData\Local\Temp\49j8t349t83495vj945jfd.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2024, 8:03 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 18, 2024, 8:03 p.m.	stacktrace: 0x37ca580 0x37cb1e0 0x10b400 49j8t349t83495vj945jfd+0x4ec9f @ 0x44ec9f 49j8t349t83495vj945jfd+0x4e97f @ 0x44e97f 49j8t349t83495vj945jfd+0x55fd8 @ 0x455fd8 49j8t349t83495vj945jfd+0x657e7 @ 0x4657e7 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 88 08 eb e2 8b e5 5d c3 cc cc cc cc cc cc cc cc exception.instruction: mov byte ptr [eax], cl exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x37ca13f registers.esp: 1636056 registers.edi: 4607800 registers.eax: 0 registers.ebp: 1636064 registers.edx: 0 registers.ebx: 1668095 registers.esi: 31987640 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

May 18, 2024, 8:03 p.m.

stacktrace:

0x37ca580
0x37cb1e0
0x10b400
49j8t349t83495vj945jfd+0x4ec9f @ 0x44ec9f
49j8t349t83495vj945jfd+0x4e97f @ 0x44e97f
49j8t349t83495vj945jfd+0x55fd8 @ 0x455fd8
49j8t349t83495vj945jfd+0x657e7 @ 0x4657e7
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 88 08 eb e2 8b e5 5d c3 cc cc cc cc cc cc cc cc
exception.instruction: mov byte ptr [eax], cl
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x37ca13f
registers.esp: 1636056
registers.edi: 4607800
registers.eax: 0
registers.ebp: 1636064
registers.edx: 0
registers.ebx: 1668095
registers.esi: 31987640
registers.ecx: 0

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 region_size: 1454080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 region_size: 1454080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x036c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2024, 8:03 p.m.	process_identifier: 2544 region_size: 204800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Stealc.4!c
Elastic	malicious (high confidence)
Skyhigh	BehavesLike.Win32.ObfuscatedPoly.th
Cylance	unsafe
VIPRE	Gen:Variant.Tedy.585934
Sangfor	Trojan.Win32.Save.a
BitDefender	Gen:Variant.Tedy.585934
Arcabit	Trojan.Tedy.D8F0CE
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenKryptik.GXTE
APEX	Malicious
McAfee	Artemis!3AAC4627C090
Avast	Win32:Malware-gen
Kaspersky	HEUR:Trojan.Win32.Injuke.gen
MicroWorld-eScan	Gen:Variant.Tedy.585934
Rising	Backdoor.Androm!8.113 (TFE:3:eMaZ7QYfXnK)
Emsisoft	Gen:Variant.Tedy.585934 (B)
DrWeb	Trojan.PWS.Steam.37249
FireEye	Gen:Variant.Tedy.585934
Ikarus	Backdoor.QBot
Google	Detected
MAX	malware (ai score=89)
Antiy-AVL	Trojan/Win32.Injuke
Kingsoft	Win32.PSWTroj.Undef.a
Microsoft	Trojan:Win32/StealC.ERR!MTB
ZoneAlarm	HEUR:Trojan.Win32.Injuke.gen
GData	Gen:Variant.Tedy.585934
AhnLab-V3	Trojan/Win.Stealc.C5623034
BitDefenderTheta	Gen:NN.ZelphiF.36804.6HW@aCLak9ki
DeepInstinct	MALICIOUS
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.GLYS!tr
AVG	Win32:Malware-gen
Paloalto	generic.ml

49j8t349t83495vj945jfd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All