Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
l6E.exe
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...

Latest News
09.21 03:09
Fixing an Elgato HD60 ...
09.21 02:09
Google Faces EU Ultima...
09.21 02:09
This New Video Game Is...
09.21 02:09
FTC finds social media...
09.21 02:09
FTC finds social media...
09.21 01:09
Automate detection and...
09.21 01:09
Hackaday Podcast Episo...
09.21 01:09
The Russian Bot Army T...
09.21 01:09
Australia’s Labor Part...
09.21 12:09
Inviting the Public to...

Summary | ZeroBOX

sahost.exe

Suspicious_Script_Bin NSIS Malicious Library UPX PE File DLL PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 9, 2024, 7:46 a.m.	Aug. 9, 2024, 7:48 a.m.

Size	346.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`3470b26b4f683b2c79794d5a71b5d681`
SHA256	`79c5102316d9d99b55f51c53550a99b9ccef58f7386d79601a314029625c87aa`
CRC32	`EF759885`
ssdeep	`6144:0Mm4CCe7fZXJPg3h/tZfbbFNKU7IUqIO/P8XbCo/32TIKaWEPgHT02ED1sgMo:0Mwd2Vpb5pyEXbb/m5t0WI`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

sahost.exe "C:\Users\test22\AppData\Local\Temp\sahost.exe"
1700

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 9, 2024, 7:46 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 9, 2024, 7:46 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741c5000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 9, 2024, 7:46 a.m.	process_identifier: 1700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe5000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 9, 2024, 7:46 a.m.	process_identifier: 1700 region_size: 27406336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03a30000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\nssC7FF.tmp\LangDLL.dll
file	C:\Users\test22\AppData\Local\Temp\nssC7FF.tmp\System.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nssC7FF.tmp\LangDLL.dll
file	C:\Users\test22\AppData\Local\Temp\nssC7FF.tmp\System.dll