Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 18, 2024, 6:14 p.m.	June 18, 2024, 6:18 p.m.

Size	993.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f41b9a03e2cfb311197ac247e4e4416c`
SHA256	`6605ff693d31043cb623dcfce19ca65ca7584569f1e2e4fa67f551e08c8005d1`
CRC32	`99C2DEC7`
ssdeep	`24576:+XU09t8XLX8hf6VAYCG6WouT8wat52YHPT3:+EutzfsCG5h9at52KPT`
Yara	Malicious_Library_Zero - Malicious_Library ASPack_Zero - ASPack packed file PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

Aripzlzup.exe "C:\Users\test22\AppData\Local\Temp\Aripzlzup.exe"
2564

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 18, 2024, 6:14 p.m.			0	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 18, 2024, 6:14 p.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c2000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (4 events)

name

RT_RCDATA

language

LANG_CHINESE

filetype

C source, ISO-8859 text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000f3b50

size

0x00001f25

name

RT_RCDATA

language

LANG_CHINESE

filetype

C source, ISO-8859 text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000f3b50

size

0x00001f25

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000f5b10

size

0x000001f4

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000f5d04

size

0x000001e1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 event)

Time & API	Arguments	Status	Return	Repeated
Process32NextW June 18, 2024, 6:14 p.m.	snapshot_handle: 0x00000134 process_name: mobsync.exe process_identifier: 2284	1	1	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Lionic	Trojan.Win32.Tasker.1g!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Genericuh.dh
ALYac	Trojan.GenericKD.66112372
Cylance	Unsafe
VIPRE	Trojan.GenericKD.66112372
Sangfor	Trojan.Win32.Tasker.V9am
BitDefender	Trojan.GenericKD.66112372
Cybereason	malicious.3e2cfb
Arcabit	Trojan.Generic.D3F0CB74
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Generik.NWYRCAV
APEX	Malicious
McAfee	Artemis!F41B9A03E2CF
Avast	Win32:Malware-gen
Kaspersky	Trojan.Win32.Tasker.azcx
Alibaba	Trojan:Win32/Tasker.229d7d14
NANO-Antivirus	Trojan.Win32.Tasker.jvrfcg
MicroWorld-eScan	Trojan.GenericKD.66112372
Emsisoft	Trojan.GenericKD.66112372 (B)
F-Secure	Trojan.TR/Tasker.kofrz
McAfeeD	ti!6605FF693D31
FireEye	Generic.mg.f41b9a03e2cfb311
Sophos	Mal/Generic-S
Ikarus	Trojan.SuspectCRC
Jiangmin	AdWare.Script.gj
Google	Detected
Avira	TR/Tasker.kofrz
MAX	malware (ai score=87)
Antiy-AVL	Trojan[Spy]/Win32.Autoit
Microsoft	TrojanDownloader:Win32/CryptInject!MSR
ZoneAlarm	Trojan.Win32.Tasker.azcx
GData	Trojan.GenericKD.66112372
Varist	W32/ABRisk.MZYZ-4442
BitDefenderTheta	Gen:NN.ZexaF.36806.!u0@aWrv@Zcj
DeepInstinct	MALICIOUS
VBA32	Trojan.Script
Malwarebytes	Generic.Malware/Suspicious
Tencent	Win32.Trojan.Tasker.Sgil
MaxSecure	Trojan.Malware.204061852.susgen
Fortinet	W32/Malicious_Behavior.VEX
AVG	Win32:Malware-gen
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

Aripzlzup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All