Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.23 03:09
66eef0ca0fb35_lfdsa.exe
09.23 02:09
easyfirewall.exe
09.23 02:09
Name.exe
09.23 11:09
wcxoplwq.exe
09.23 11:09
66f00f515201d_otr.exe#...
09.23 11:09
Journal.exe
09.23 11:09
PI No.1070034483.exe
09.23 11:09
66f011901da27_crypted....
09.23 11:09
66f063cce5470_crypted....
09.23 11:09
notebyx.exe

Latest News
09.23 04:09
코넷, KB Pay와 제휴… 숏폼 콘텐츠...
09.23 03:09
금융권 사이버 침해위협 분석대회, ‘FI...
09.23 03:09
Biden, Modi Announce P...
09.23 03:09
대한패들서프프로협회, 몽골서 SUP 패들...
09.23 03:09
워터픽, ‘올해의 브랜드 대상’ 5년 연...
09.23 03:09
KISA, 19개국 침해사고대응팀에 대한...
09.23 03:09
Chinese Hackers Exploi...
09.23 03:09
(주)코믹시티, ‘출근길’ 2024년 독...
09.23 03:09
SDG그룹, 미얀마에 총괄법인 'KORE...
09.23 03:09
유원제이피씨, 태양광 관리 솔루션과 실시...

Summary | ZeroBOX

haspdinst_8_31+(2).exe

Gen1 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File OS Processor Check PE32 CAB DLL

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 3, 2024, 10:17 p.m.	June 3, 2024, 10:18 p.m.

Size	25.3MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`235623c73f1d0283860da85f75d41500`
SHA256	`1718be91005a0440dcb9502da39318295db19fede34d2528ddc4f0b4d5485cbd`
CRC32	`E6C3B2B0`
ssdeep	`786432:9NcVQMBtzAwI+pKvU6J5NUoPfb/Jrbp+N2dUbEqqX4d2O:9jMBVDpQxJ5NUoPj/JPRCExO`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description) Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

haspdinst_8_31+(2).exe "C:\Users\test22\AppData\Local\Temp\haspdinst_8_31+(2).exe"
3012

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 3, 2024, 10:17 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 3, 2024, 10:17 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 3, 2024, 10:17 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b2000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 3, 2024, 10:17 p.m.	process_identifier: 3012 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74233000 process_handle: 0xffffffff	1	0	0

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW June 3, 2024, 10:17 p.m.	total_number_of_free_bytes: 9098153984 free_bytes_available: 9098153984 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\haspds_windows.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\haspds_windows.dll

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

APEX	Malicious
Trapmine	suspicious.low.ml.score