popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sahost.exe

Suspicious_Script_Bin NSIS Generic Malware UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 8, 2024, 11:13 a.m. Aug. 8, 2024, 11:15 a.m.
Size 355.8KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 3cd277b692b93cea6874d7879f1134d0
SHA256 e422323e3d0333b32a7dfbaf49befecd314d7e969d5848e71e07096ebc106604
CRC32 CFC5C091
ssdeep 6144:TMm4CCe7wZZRdeg+FWMqn1g0qmaV0UnuBAPm5P9LX29AS+tPoc+2fvwPsgzG:TMwSdN+FWJghmzAPmdBjW4fZwG
Yara
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73955000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2572
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73945000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2572
region_size: 21848064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03ed0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nstF6E4.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\nstF6E4.tmp\LangDLL.dll
file C:\Users\test22\AppData\Local\Temp\nstF6E4.tmp\LangDLL.dll
file C:\Users\test22\AppData\Local\Temp\nstF6E4.tmp\System.dll
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Makoob.4!c
Elastic malicious (high confidence)
Skyhigh Artemis!Trojan
Cylance Unsafe
Sangfor Trojan.Win32.Injector.Vfgw
Symantec Trojan.Guloader
ESET-NOD32 NSIS/Injector.CVP
APEX Malicious
McAfee Artemis!3CD277B692B9
Kaspersky HEUR:Trojan.Win32.Makoob.gen
TrendMicro Trojan.Win32.GULOADER.YXEHGZ
McAfeeD ti!E422323E3D03
Trapmine malicious.moderate.ml.score
Sophos Troj/Inject-JPR
Google Detected
Kingsoft malware.kb.a.906
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm HEUR:Trojan.Win32.Makoob.gen
Varist W32/Injector.NDUB-5909
DeepInstinct MALICIOUS
Ikarus Trojan.NSIS.Injector
TrendMicro-HouseCall Trojan.Win32.GULOADER.YXEHGZ
Fortinet NSIS/Injector.TCN!tr
Paloalto generic.ml
CrowdStrike win/malicious_confidence_100% (W)