Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 17, 2024, 9:21 a.m.	June 17, 2024, 9:23 a.m.

Size	847.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b90b8f1b397bcaeb8ead207d5d9af8e4`
SHA256	`7b04123c12624c5861df853aebebc1261279624b1ddd28ce6e8585ab61669421`
CRC32	`C120326C`
ssdeep	`12288:SSSL5qBOqq+k3IFZYE/5wGL4sE+J5Pk9+7hykPcl1X/wDl4d6P0:S1VqEIkIwwpm9+1yOcl9S4d`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader DllRegisterServer_Zero - execute regsvr32.exe PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

ClientCaller.exe "C:\Users\test22\AppData\Local\Temp\ClientCaller.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 17, 2024, 9:21 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 17, 2024, 9:21 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 17, 2024, 9:21 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3948

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000da9b8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000da9cc

size

0x00000258

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Worm.ch
ALYac	Gen:Variant.Fragtor.375017
Cylance	Unsafe
VIPRE	Gen:Variant.Fragtor.375017
Sangfor	Trojan.Win32.Agent.Vjrn
BitDefender	Gen:Variant.Fragtor.375017
Cybereason	malicious.b397bc
Arcabit	Trojan.Fragtor.D5B8E9
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!B90B8F1B397B
Avast	Win32:MalwareX-gen [Trj]
MicroWorld-eScan	Gen:Variant.Fragtor.375017
Rising	Trojan.Generic@AI.85 (RDMK:cmRtazoLjQ37ilTzT+yJtNLNQXln)
Emsisoft	Gen:Variant.Fragtor.375017 (B)
F-Secure	Trojan.TR/Spy.Banker.Gen
McAfeeD	ti!7B04123C1262
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.b90b8f1b397bcaeb
Sophos	Mal/Generic-S
Ikarus	Trojan.Spy.Banker
Google	Detected
Avira	TR/Spy.Banker.Gen
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.PossibleThreat
GData	Gen:Variant.Fragtor.375017
BitDefenderTheta	Gen:NN.ZelphiF.36806.0G0@auybkleb
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Suspicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (W)
alibabacloud	Trojan[spy]:Win/Fragtor.Gen

ClientCaller.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All