Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 4, 2024, 5:53 p.m.	Aug. 4, 2024, 5:55 p.m.

Size	713.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1fe2d68fc2915ff7aab045e181dbd25b`
SHA256	`1e01d091dd6a69940c30481e0236b0e250f4f5395a769f5332355f25b03549f8`
CRC32	`81B5F68F`
ssdeep	`12288:ODBkkbyTDhQldPMaP79qL2txVa/CTozh+tuZnHP:ODBkkby/hgz9WaxVa/CTozh+tuZnHP`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Submit task v3.0.0.4.exe "C:\Users\test22\AppData\Local\Temp\Submit task v3.0.0.4.exe"
3024

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 4, 2024, 5:53 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 4, 2024, 5:53 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 submit task v3+0x100b @ 0x40100b RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 1637640 registers.edi: 0 registers.eax: 45281912 registers.ebp: 1637668 registers.edx: 1 registers.ebx: 0 registers.esi: 9784768 registers.ecx: 1945253588	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 4, 2024, 5:53 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
submit task v3+0x100b @ 0x40100b
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 1637640
registers.edi: 0
registers.eax: 45281912
registers.ebp: 1637668
registers.edx: 1
registers.ebx: 0
registers.esi: 9784768
registers.ecx: 1945253588

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 4, 2024, 5:53 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743d3000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (4 events)

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000af130

size

0x00005488

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b45b8

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b45cc

size

0x0000025c

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document, ASCII text, with very long lines, with no line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000b4828

size

0x000001cd

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000abc00', u'virtual_address': u'0x00003000', u'entropy': 7.029778353573038, u'name': u'.data', u'virtual_size': u'0x000abc00'}

entropy

7.02977835357

description

A section with a high entropy has been found

entropy

0.964887640449

description

Overall entropy of this PE file is high

Creates known FlyStudio files, registry keys and/or mutexes (1 event)

regkey

HKEY_CURRENT_USER\Software\FlySky\E\Install

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Flyagent.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Flyagent.bc
ALYac	Trojan.Generic.36433771
Cylance	Unsafe
VIPRE	Trojan.Generic.36433771
Sangfor	Trojan.Win32.Agent.V4xj
BitDefender	Trojan.Generic.36433771
Cybereason	malicious.fc2915
Arcabit	Trojan.Generic.D22BEF6B
APEX	Malicious
McAfee	Flyagent.d
Avast	Win32:TrojanX-gen [Trj]
Alibaba	Trojan:Win32/Flyagent.e5249a03
NANO-Antivirus	Virus.Win32.Agent.dvixmz
MicroWorld-eScan	Trojan.Generic.36433771
Emsisoft	Trojan.Generic.36433771 (B)
F-Secure	Trojan.TR/Dropper.Gen
TrendMicro	TROJ_GEN.R023C0PFH24
McAfeeD	Real Protect-LS!1FE2D68FC291
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1fe2d68fc2915ff7
Sophos	Mal/Generic-S
Ikarus	Trojan.Crypt
Jiangmin	Trojan.Agentb.mvr
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Win32.Wacatac
Kingsoft	malware.kb.a.998
Xcitium	TrojWare.Win32.FlyStudio.~UJ@1sa9s6
Microsoft	TrojanDownloader:Win32/Upatre!ml
GData	Trojan.Generic.36433771
Varist	W32/ABRisk.JTDM-2316
BitDefenderTheta	Gen:NN.ZexaF.36810.Sq0@ayy0ycob
DeepInstinct	MALICIOUS
VBA32	Trojan.Fuerboos
Malwarebytes	Malware.AI.3957663759
TrendMicro-HouseCall	TROJ_GEN.R023C0PFH24
MAX	malware (ai score=80)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/CoinMiner.BELF!tr
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_90% (D)
alibabacloud	Suspicious

Submit task v3.0.0.4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All