Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 17, 2024, 9:21 a.m.	June 17, 2024, 9:25 a.m.

Size	849.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a0c8b9f6054a0700915a3df02d3d07ee`
SHA256	`1079681f1afa4959cb06f3d4a3725783331a490bbef656af5277f8bac1485e43`
CRC32	`350A9B0E`
ssdeep	`12288:YnvuQF4Xdc6p/wsKujhT4VN9kdpZVfc2yyHKbeAFNTLTBG1pq4:YvBadcElVGQV1yyH+eKTJ`
Yara	Malicious_Library_Zero - Malicious_Library Network_Downloader - File Downloader DllRegisterServer_Zero - execute regsvr32.exe PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

ClientCaller.exe "C:\Users\test22\AppData\Local\Temp\ClientCaller.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 17, 2024, 9:21 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 17, 2024, 9:21 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 17, 2024, 9:21 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (14 events)

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_BITMAP

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3860

size

0x000000e8

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000d3948

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000daa00

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000daa14

size

0x00000258

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.BadFile.ch
ALYac	Gen:Variant.Fragtor.375017
VIPRE	Gen:Variant.Fragtor.375017
Sangfor	Trojan.Win32.Fragtor.Vnqu
BitDefender	Gen:Variant.Fragtor.375017
Cybereason	malicious.6054a0
Arcabit	Trojan.Fragtor.D5B8E9
VirIT	Trojan.Win32.Banker7.JIC
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
McAfee	Artemis!A0C8B9F6054A
Avast	Win32:Malware-gen
MicroWorld-eScan	Gen:Variant.Fragtor.375017
Rising	Trojan.Win32.Generic.17BD11D1 (C64:YzY0OrUm6CvyD1mN)
Emsisoft	Gen:Variant.Fragtor.375017 (B)
F-Secure	Trojan.TR/Spy.Banker.Gen
McAfeeD	ti!1079681F1AFA
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.a0c8b9f6054a0700
Ikarus	Trojan.Spy.Banker
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Spy.Banker.Gen
Kingsoft	malware.kb.a.887
GData	Gen:Variant.Fragtor.375017
BitDefenderTheta	Gen:NN.ZelphiF.36806.1G0@amNhKWnb
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_70% (D)
alibabacloud	Trojan[spy]:Win/Fragtor.Gen

ClientCaller.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All