Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2024, 9:09 a.m.	Aug. 6, 2024, 9:18 a.m.

Size	456.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9c35f1315cb51f68e401d53196daaf8b`
SHA256	`6064ef6e5e2d1c432491f675e551844c1b99da343c76f5b34c19a8d940b129e6`
CRC32	`7182BF7F`
ssdeep	`6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+w:2uWP/BZUyoLu8Agsmxwrvejkd2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

555.exe "C:\Users\test22\AppData\Local\Temp\555.exe"
2548
certreq.exe "C:\Windows\system32\certreq.exe"
2736

Name	Response	Post-Analysis Lookup
amx155.xyz

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 6, 2024, 9:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 9:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 9:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 9:09 a.m.	computer_name: TEST22-PC	1	1

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 6, 2024, 9:02 a.m.	stacktrace: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895 stacktrace+0x84 memdup-0x1af @ 0x73980470 hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_ntdll_RtlAddVectoredExceptionHandler+0x20 New_ntdll_RtlCompressBuffer-0xed @ 0x73996340 0x920ee 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 0x1 exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29 exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 exception.address: 0x76d80895 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 329877 registers.r14: 0 registers.r15: 0 registers.rcx: 2290760 registers.rsi: 20 registers.r10: 0 registers.rbx: 1 registers.rsp: 2292784 registers.r11: 596580 registers.r8: 64 registers.r9: 4280918016 registers.rdx: 2292104 registers.r12: 599640 registers.rbp: 4280918016 registers.rdi: 4280619024 registers.rax: 2290440 registers.r13: 591256	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2024, 9:09 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:09 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4141056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 9:09 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f70000 process_handle: 0xffffffff	1

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_Processor

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2024, 9:09 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003b0000 process_handle: 0xffffffff	1	0	0

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle Aug. 6, 2024, 9:09 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle Aug. 6, 2024, 9:09 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Mansabo.4!c
Elastic	Windows.Trojan.Rhadamanthys
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.MansaboIH.S31490228
Skyhigh	GenericRXWG-VG!9C35F1315CB5
ALYac	Gen:Variant.Zusy.477514
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.477514
Sangfor	Trojan.Win32.Mansabo.Vng5
K7AntiVirus	Trojan ( 005a8ce81 )
BitDefender	Gen:Variant.Zusy.477514
K7GW	Trojan ( 005a8ce81 )
Cybereason	malicious.15cb51
Arcabit	Trojan.Zusy.D7494A
VirIT	Trojan.Win32.Genus.SDD
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Kryptik.HTRB
APEX	Malicious
McAfee	GenericRXWG-VG!9C35F1315CB5
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Mansabo-10009936-0
Kaspersky	Trojan.Win32.Mansabo.hqj
Alibaba	Trojan:Win32/Mansabo.e1dbc27a
NANO-Antivirus	Trojan.Win32.Mansabo.jxjfbc
MicroWorld-eScan	Gen:Variant.Zusy.477514
Rising	Trojan.Kryptik!8.8 (TFE:5:D7OYBgVIcJE)
Emsisoft	Gen:Variant.Zusy.477514 (B)
F-Secure	Heuristic.HEUR/AGEN.1376008
DrWeb	Trojan.Packed2.45463
Zillya	Trojan.Mansabo.Win32.2384
TrendMicro	TrojanSpy.Win32.RHADAMANTHYS.YXEHFZ
McAfeeD	ti!6064EF6E5E2D
Trapmine	suspicious.low.ml.score
FireEye	Generic.mg.9c35f1315cb51f68
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.Mansabo.cjo
Webroot	W32.Trojan.Gen
Google	Detected
Avira	HEUR/AGEN.1376008
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Win32.Kryptik
Kingsoft	malware.kb.a.975
Gridinsoft	Malware.Win32.Gen.tr
Microsoft	Trojan:Win32/Mansabo.MY!MTB
ViRobot	Trojan.Win.Z.Mansabo.466944.TBF
ZoneAlarm	Trojan.Win32.Mansabo.hqj
GData	Gen:Variant.Zusy.477514
Varist	W32/Kryptik.KPI.gen!Eldorado

555.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All