Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 17, 2024, 10:21 a.m.	June 17, 2024, 10:24 a.m.

Size	633.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`0ee9a0317342d545c2bfd9e3fbd627f9`
SHA256	`ecc6b2506aeaac13da0562a6a5d35c802eea9c6232c49cc4583d7c5c13bbbc0f`
CRC32	`CEDAB04A`
ssdeep	`12288:V+yk7FJmVUOsBuZXcdmpx1UfKpYXwtc5GpXvGpX:oy46Utisdm/CfZWc5GJvGJ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Taskbar.exe "C:\Users\test22\AppData\Local\Temp\Taskbar.exe"
776

Name	Response	Post-Analysis Lookup
i.ibb.co	A 172.96.161.6 A 172.96.160.210 A 104.194.8.120 A 172.96.160.183 A 172.96.160.168	172.96.160.168

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.96.160.183	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 172.96.160.183:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 17, 2024, 10:21 a.m.			0	0
IsDebuggerPresent June 17, 2024, 10:21 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 17, 2024, 10:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ad538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 17, 2024, 10:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ad4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 17, 2024, 10:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ad4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 17, 2024, 10:21 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MUI

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0077b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 17, 2024, 10:21 a.m.	process_identifier: 776 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0071a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 17, 2024, 10:21 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x00062400', u'virtual_address': u'0x00002000', u'entropy': 7.470113378656132, u'name': u'.text', u'virtual_size': u'0x00062204'}

entropy

7.47011337866

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0001dc00', u'virtual_address': u'0x00066000', u'entropy': 7.084268804998948, u'name': u'.rsrc', u'virtual_size': u'0x0001db18'}

entropy

7.084268805

description

A section with a high entropy has been found

entropy

0.999024390244

description

Overall entropy of this PE file is high

A process attempted to delay the analysis task. (1 event)

description

Taskbar.exe tried to sleep 2728263 seconds, actually delayed analysis time by 2728263 seconds

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Dapato.b!c
Elastic	malicious (high confidence)
Skyhigh	Artemis
ALYac	Trojan.GenericKD.73118542
Cylance	Unsafe
VIPRE	Trojan.GenericKD.73118542
Sangfor	Suspicious.Win32.Save.a
BitDefender	Trojan.GenericKD.73118542
Cybereason	malicious.17342d
Arcabit	Trojan.Generic.D45BB34E
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Generik.LNJMSQY
APEX	Malicious
McAfee	Artemis!0EE9A0317342
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.MSIL.Dapato.gen
Alibaba	TrojanDropper:MSIL/Dapato.38200ba6
MicroWorld-eScan	Trojan.GenericKD.73118542
Rising	Malware.Obfus/MSIL@AI.88 (RDM.MSIL2:qxKBaiY9rwlj5U9h9CMFGg)
Emsisoft	Trojan.GenericKD.73118542 (B)
F-Secure	Heuristic.HEUR/AGEN.1304460
TrendMicro	Backdoor.Win32.ASYNCRAT.YXEFLZ
McAfeeD	ti!ECC6B2506AEA
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.0ee9a0317342d545
Sophos	Mal/Generic-S
Ikarus	Trojan-Downloader.MSIL.Agent
Google	Detected
Avira	HEUR/AGEN.1304460
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Win32.Wacatac
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan-Dropper.MSIL.Dapato.gen
GData	Trojan.GenericKD.73118542
Varist	W32/ABRisk.FMVU-1181
AhnLab-V3	Trojan/Win.Formbook.X2183
BitDefenderTheta	Gen:NN.ZemsilF.36806.Nm3@aenG6iai
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.Downloader.MSIL.Generic
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXEFLZ
Tencent	Msil.Trojan-Dropper.Dapato.Dwnw
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	MSIL/Kryptik.CJZ!tr
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

Taskbar.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All