Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 13, 2024, 3:57 p.m.	Aug. 13, 2024, 4 p.m.

Size	3.3MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`b3d8b18d332153db164df8b55c3272a4`
SHA256	`00caadb35b55b93801f0a7a113b1c4da81acc4faecdb0daa28f811ac051da0cc`
CRC32	`512C1C91`
ssdeep	`49152:cXDCFN+WmdNxa2RTPokBMyHJWGs8FaRMqu3XCqRq8stcpVk4JobxJ17IxRYbwPm7:cXDXW8bTBrHJWGs2NyqeoNE/7SRYY2`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

NursultanClient.exe "C:\Users\test22\AppData\Local\Temp\NursultanClient.exe"
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 13, 2024, 3:57 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

MinGW GCC 3.x

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 13, 2024, 3:58 p.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x748528ef ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x74842427 SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x74841de2 ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x74841efa ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x74841e88 New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x736f5f28 ShellExecuteEx+0x5d ShellExecuteA-0x3e shell32+0x24703a @ 0x74a6703a ShellExecuteA+0x73 ShellExec_RunDLLW-0x18 shell32+0x2470eb @ 0x74a670eb nursultanclient+0x1f5f @ 0x401f5f nursultanclient+0x13da @ 0x4013da nursultanclient+0x6b1a @ 0x406b1a nursultanclient+0x1237 @ 0x401237 nursultanclient+0x12a8 @ 0x4012a8 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x73403c8c registers.esp: 2685332 registers.edi: 0 registers.eax: 1933589644 registers.ebp: 2685372 registers.edx: 0 registers.ebx: 0 registers.esi: 1933589644 registers.ecx: 10227048	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 13, 2024, 3:58 p.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
SHGetDataFromIDListW+0x314 SHGetFolderPathAndSubDirW-0x2832 shell32+0x328ef @ 0x748528ef
ShellExecuteExW+0x5e1 SHGetNameFromIDList-0x8629 shell32+0x22427 @ 0x74842427
SHGetMalloc+0x17e0 ShellExecuteExW-0x64 shell32+0x21de2 @ 0x74841de2
ShellExecuteExW+0xb4 SHGetNameFromIDList-0x8b56 shell32+0x21efa @ 0x74841efa
ShellExecuteExW+0x42 SHGetNameFromIDList-0x8bc8 shell32+0x21e88 @ 0x74841e88
New_shell32_ShellExecuteExW@4+0x1fa New_srvcli_NetShareEnum@28-0x8f @ 0x736f5f28
ShellExecuteEx+0x5d ShellExecuteA-0x3e shell32+0x24703a @ 0x74a6703a
ShellExecuteA+0x73 ShellExec_RunDLLW-0x18 shell32+0x2470eb @ 0x74a670eb
nursultanclient+0x1f5f @ 0x401f5f
nursultanclient+0x13da @ 0x4013da
nursultanclient+0x6b1a @ 0x406b1a
nursultanclient+0x1237 @ 0x401237
nursultanclient+0x12a8 @ 0x4012a8
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73403c8c
registers.esp: 2685332
registers.edi: 0
registers.eax: 1933589644
registers.ebp: 2685372
registers.edx: 0
registers.ebx: 0
registers.esi: 1933589644
registers.ecx: 10227048

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Bkav	W32.AIDetectMalware
Cylance	Unsafe
Kaspersky	Backdoor.MSIL.Crysan.isv
Alibaba	Backdoor:MSIL/Crysan.3f000bc0
McAfeeD	ti!00CAADB35B55
Sophos	Mal/Generic-S
Google	Detected
Kingsoft	Win32.Hack.Undef.a
ZoneAlarm	Backdoor.MSIL.Crysan.isv
Varist	W32/ABRisk.BBZM-2963
MaxSecure	Trojan.Malware.271705695.susgen
Fortinet	W32/PossibleThreat
Paloalto	generic.ml
alibabacloud	Backdoor:MSIL/Crysan.ivt

NursultanClient.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All