Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 1:57 p.m.	Aug. 19, 2024, 1:59 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e2f7f7f6f81f4b39cc106356db4b8770`
SHA256	`abd5b6b36f5f55bf71e2c97d23b97dcb69cf964da5d2c447be26b976faac1b7d`
CRC32	`78E9A371`
ssdeep	`24576:ovSPtxCmmswEfwIJPzXu87b0ZX0cCNeSp9U/0ToEOwogllNAdJXrk1w8sLf3f4PD:ochjwiwku7Z8U/JS/NWhk1w8sL4PD`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

POS_C161.exe "C:\Users\test22\AppData\Local\Temp\POS_C161.exe"
1664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 1:57 p.m.	stacktrace: pos_c161+0xab5cf @ 0x4ab5cf pos_c161+0xc5e8f @ 0x4c5e8f pos_c161+0xc5fa7 @ 0x4c5fa7 pos_c161+0xc91eb @ 0x4c91eb pos_c161+0x15c85d @ 0x55c85d pos_c161+0x6edf3 @ 0x46edf3 pos_c161+0x56e8f @ 0x456e8f pos_c161+0x59ddc @ 0x459ddc pos_c161+0x97bc1 @ 0x497bc1 pos_c161+0x59930 @ 0x459930 pos_c161+0x5999b @ 0x45999b pos_c161+0x59ddc @ 0x459ddc pos_c161+0x97bc1 @ 0x497bc1 pos_c161+0x559b8 @ 0x4559b8 pos_c161+0x15cf6c @ 0x55cf6c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636848 registers.edi: 1637176 registers.eax: 1636848 registers.ebp: 1636928 registers.edx: 0 registers.ebx: 5005156 registers.esi: 5018096 registers.ecx: 7	1	0	0
__exception__ Aug. 19, 2024, 1:57 p.m.	stacktrace: pos_c161+0xc5ed6 @ 0x4c5ed6 pos_c161+0xc5fa7 @ 0x4c5fa7 pos_c161+0xc91eb @ 0x4c91eb pos_c161+0x15c85d @ 0x55c85d pos_c161+0x6edf3 @ 0x46edf3 pos_c161+0x56e8f @ 0x456e8f pos_c161+0x59ddc @ 0x459ddc pos_c161+0x97bc1 @ 0x497bc1 pos_c161+0x59930 @ 0x459930 pos_c161+0x5999b @ 0x45999b pos_c161+0x59ddc @ 0x459ddc pos_c161+0x97bc1 @ 0x497bc1 pos_c161+0x559b8 @ 0x4559b8 pos_c161+0x15cf6c @ 0x55cf6c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636908 registers.edi: 1637028 registers.eax: 1636908 registers.ebp: 1636988 registers.edx: 0 registers.ebx: 5004958 registers.esi: 0 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 1:57 p.m.

stacktrace:

pos_c161+0xab5cf @ 0x4ab5cf
pos_c161+0xc5e8f @ 0x4c5e8f
pos_c161+0xc5fa7 @ 0x4c5fa7
pos_c161+0xc91eb @ 0x4c91eb
pos_c161+0x15c85d @ 0x55c85d
pos_c161+0x6edf3 @ 0x46edf3
pos_c161+0x56e8f @ 0x456e8f
pos_c161+0x59ddc @ 0x459ddc
pos_c161+0x97bc1 @ 0x497bc1
pos_c161+0x59930 @ 0x459930
pos_c161+0x5999b @ 0x45999b
pos_c161+0x59ddc @ 0x459ddc
pos_c161+0x97bc1 @ 0x497bc1
pos_c161+0x559b8 @ 0x4559b8
pos_c161+0x15cf6c @ 0x55cf6c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636848
registers.edi: 1637176
registers.eax: 1636848
registers.ebp: 1636928
registers.edx: 0
registers.ebx: 5005156
registers.esi: 5018096
registers.ecx: 7

__exception__

Aug. 19, 2024, 1:57 p.m.

stacktrace:

pos_c161+0xc5ed6 @ 0x4c5ed6
pos_c161+0xc5fa7 @ 0x4c5fa7
pos_c161+0xc91eb @ 0x4c91eb
pos_c161+0x15c85d @ 0x55c85d
pos_c161+0x6edf3 @ 0x46edf3
pos_c161+0x56e8f @ 0x456e8f
pos_c161+0x59ddc @ 0x459ddc
pos_c161+0x97bc1 @ 0x497bc1
pos_c161+0x59930 @ 0x459930
pos_c161+0x5999b @ 0x45999b
pos_c161+0x59ddc @ 0x459ddc
pos_c161+0x97bc1 @ 0x497bc1
pos_c161+0x559b8 @ 0x4559b8
pos_c161+0x15cf6c @ 0x55cf6c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636908
registers.edi: 1637028
registers.eax: 1636908
registers.ebp: 1636988
registers.edx: 0
registers.ebx: 5004958
registers.esi: 0
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 1:57 p.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00183ca8

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019afcc

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0019afe0

size

0x00000274

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

VIPRE	Gen:Variant.Midie.150934
BitDefender	Gen:Variant.Midie.150934
Cybereason	malicious.6f81f4
Arcabit	Trojan.Generic.D4615001
MicroWorld-eScan	Gen:Variant.Midie.150934
Emsisoft	Gen:Variant.Midie.150934 (B)
Trapmine	malicious.moderate.ml.score
FireEye	Gen:Variant.Midie.150934
MAX	malware (ai score=82)
GData	Gen:Variant.Midie.150934
CrowdStrike	win/malicious_confidence_60% (W)

POS_C161.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All