Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 5, 2024, 10:36 a.m.	Aug. 5, 2024, 11:18 a.m.

Size	652.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`017933f498a5e5fec5429ac2a1dc3b4a`
SHA256	`e9882e6012a21213aeb9f6f4ea8d5e23e52afae6b8993a352bfc582bcc42c3fe`
CRC32	`95486799`
ssdeep	`12288:k06bh5/NxtL/fnCchqxdQ36oAT4fUrYhfRE8aK88dPVJm+CGXbu6731CJCoSe:kBbh5/Nxtrh4u36N4fUspWg3m/Glz1Cv`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

Apex.exe "C:\Users\test22\AppData\Local\Temp\Apex.exe"
912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
42.193.241.116	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	Mxx0
section	\xd0\xc7\xd4\xc2
section	Mxx2

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 5, 2024, 10:37 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 apex+0x63d30 @ 0x463d30 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 1637492 registers.edi: 0 registers.eax: 31400016 registers.ebp: 1637520 registers.edx: 1 registers.ebx: 0 registers.esi: 3363632 registers.ecx: 1946826108	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 5, 2024, 10:37 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
apex+0x63d30 @ 0x463d30
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 1637492
registers.edi: 0
registers.eax: 31400016
registers.ebp: 1637520
registers.edx: 1
registers.ebx: 0
registers.esi: 3363632
registers.ecx: 1946826108

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713	0
NtProtectVirtualMemory Aug. 5, 2024, 10:36 a.m.	process_identifier: 912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10024000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019a058

size

0x00000240

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a2600', u'virtual_address': u'0x000f6000', u'entropy': 7.99956125163076, u'name': u'\\xd0\\xc7\\xd4\\xc2', u'virtual_size': u'0x000a3000'}

entropy

7.99956125163

description

A section with a high entropy has been found

entropy

0.996930161167

description

Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host

42.193.241.116

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.m!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.jc
ALYac	Gen:Variant.Ransom.TeslaCrypt.89
Cylance	Unsafe
VIPRE	Gen:Variant.Ransom.TeslaCrypt.89
Sangfor	Backdoor.Win32.Blackmoon.Vb4g
BitDefender	Gen:Variant.Ransom.TeslaCrypt.89
Cybereason	malicious.498a5e
Arcabit	Trojan.Ransom.TeslaCrypt.89
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
McAfee	Artemis!017933F498A5
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	HEUR:Backdoor.Win64.C2.gen
Alibaba	Backdoor:Win64/BlackMoon.0631cd6c
MicroWorld-eScan	Gen:Variant.Ransom.TeslaCrypt.89
Rising	Backdoor.C2!8.18C44 (CLOUD)
Emsisoft	Application.Generic (A)
F-Secure	Backdoor.BDS/Redcap.iznxb
TrendMicro	TrojanSpy.Win32.BLACKMOON.YXEHDZ
McAfeeD	Real Protect-LS!017933F498A5
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.017933f498a5e5fe
Sophos	Mal/Generic-S
Ikarus	PUA.BlackMoon
Google	Detected
Avira	BDS/Redcap.iznxb
MAX	malware (ai score=83)
Kingsoft	malware.kb.b.962
Gridinsoft	Trojan.Win32.BlackMoon.tr
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	TrojanDownloader:Win32/Upatre!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Ransom.TeslaCrypt.89
Varist	W32/Trojan.GRW.gen!Eldorado
AhnLab-V3	Win-Trojan/Malpacked5.Gen
BitDefenderTheta	Gen:NN.ZexaF.36810.OqKfaWJfh9bb
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.DiskWriter
Malwarebytes	PUP.Optional.ChinAd
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEHDZ
Tencent	Win64.Backdoor.C2.Vsmw
SentinelOne	Static AI - Malicious PE
MaxSecure	Dropper.Dinwod.frindll
Fortinet	Riskware/Application

Apex.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All