Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 14, 2024, 10:52 a.m.	June 14, 2024, 10:54 a.m.

Size	448.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`527d1b34d5c5759d38b6496008e379b1`
SHA256	`594ccab9f478744e17a5e75de82bb8516c6a2bfa6ec7ff602044923ac8059d8a`
CRC32	`E773319B`
ssdeep	`6144:VoShfbIxkwfWt/ASuSEgSYt4AvpowKhlx+sdF3zEUv8HukmyLliiU93qJ8:yqAPWt4LmtXBKYebv0YUeqJ8`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file PE_Header_Zero - PE File Signature

RFQ#ORDER-SP-24-0217891-003.docx.com "C:\Users\test22\AppData\Local\Temp\RFQ#ORDER-SP-24-0217891-003.docx.com"
3044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch

No Suricata Alerts

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2024, 10:52 a.m.		1	1	0

section

.ndata

Time & API	Arguments	Status
NtProtectVirtualMemory June 14, 2024, 10:52 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2024, 10:52 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f93000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2024, 10:52 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2024, 10:52 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10004000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2024, 10:52 a.m.	process_identifier: 3044 region_size: 79568896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

file	C:\Users\test22\AppData\Local\Temp\nso273B.tmp\System.dll

file	C:\Users\test22\AppData\Local\Temp\nso273B.tmp\System.dll

host

125.253.92.50

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Androm.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Dropper.gc
Cylance	unsafe
K7AntiVirus	Trojan ( 005b62ff1 )
K7GW	Trojan ( 005b62ff1 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	NSIS/Injector.CQY
McAfee	Artemis!527D1B34D5C5
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Backdoor.Win32.Androm.gen
TrendMicro	Trojan.Win32.GULOADER.YXEE3Z
McAfeeD	ti!594CCAB9F478
Sophos	Mal/Generic-S
Ikarus	Trojan.NSIS.Agent
Google	Detected
Antiy-AVL	Trojan[Backdoor]/Win32.Androm.gen
Kingsoft	malware.kb.a.888
Microsoft	Trojan:Win32/GuLoader
ZoneAlarm	HEUR:Backdoor.Win32.Androm.gen
GData	Win32.Trojan.Agent.E1BU9G
Varist	W32/Agent.IYR.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.980415415
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.GULOADER.YXEE3Z
Tencent	Win32.Backdoor.Androm.Zwhl
Fortinet	W32/CQY!tr
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	Trojan

RFQ#ORDER-SP-24-0217891-003.docx.com