Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 1:57 p.m.	Aug. 19, 2024, 3:40 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`b8df4ec39884a6248d88482299a55744`
SHA256	`e0be0617c7760b88ed5bf00e0b4931c8f11ce8fca34edc36b460f9ba1640031d`
CRC32	`292EC160`
ssdeep	`49152:smorAiZlgFBlnPJOjRHPmXPDKAFjjdjjA/YiY0Y0Y0Y0YI:smocfnlP2uKAFjjdjjA/YiY0Y0Y0Y0YI`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

TMS_C024.exe "C:\Users\test22\AppData\Local\Temp\TMS_C024.exe"
800

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 1:57 p.m.	stacktrace: tms_c024+0x1b8c34 @ 0x5b8c34 tms_c024+0x1b8b82 @ 0x5b8b82 tms_c024+0x1b8b43 @ 0x5b8b43 tms_c024+0x1c9235 @ 0x5c9235 tms_c024+0x1cce77 @ 0x5cce77 tms_c024+0x1cd18d @ 0x5cd18d tms_c024+0x1cd33e @ 0x5cd33e tms_c024+0x1cc180 @ 0x5cc180 tms_c024+0x1cc3bc @ 0x5cc3bc tms_c024+0x1cc49c @ 0x5cc49c tms_c024+0x1cec99 @ 0x5cec99 tms_c024+0x1cf875 @ 0x5cf875 tms_c024+0x1d2120 @ 0x5d2120 tms_c024+0x7213b @ 0x47213b tms_c024+0x5a1b7 @ 0x45a1b7 tms_c024+0x5d104 @ 0x45d104 tms_c024+0x59f87 @ 0x459f87 tms_c024+0x5cc58 @ 0x45cc58 tms_c024+0x5ccc3 @ 0x45ccc3 tms_c024+0x5d104 @ 0x45d104 tms_c024+0x59f87 @ 0x459f87 tms_c024+0x58cb0 @ 0x458cb0 tms_c024+0x1d3d0c @ 0x5d3d0c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636164 registers.edi: 1636352 registers.eax: 1636164 registers.ebp: 1636244 registers.edx: 0 registers.ebx: 6001548 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 1:57 p.m.

stacktrace:

tms_c024+0x1b8c34 @ 0x5b8c34
tms_c024+0x1b8b82 @ 0x5b8b82
tms_c024+0x1b8b43 @ 0x5b8b43
tms_c024+0x1c9235 @ 0x5c9235
tms_c024+0x1cce77 @ 0x5cce77
tms_c024+0x1cd18d @ 0x5cd18d
tms_c024+0x1cd33e @ 0x5cd33e
tms_c024+0x1cc180 @ 0x5cc180
tms_c024+0x1cc3bc @ 0x5cc3bc
tms_c024+0x1cc49c @ 0x5cc49c
tms_c024+0x1cec99 @ 0x5cec99
tms_c024+0x1cf875 @ 0x5cf875
tms_c024+0x1d2120 @ 0x5d2120
tms_c024+0x7213b @ 0x47213b
tms_c024+0x5a1b7 @ 0x45a1b7
tms_c024+0x5d104 @ 0x45d104
tms_c024+0x59f87 @ 0x459f87
tms_c024+0x5cc58 @ 0x45cc58
tms_c024+0x5ccc3 @ 0x45ccc3
tms_c024+0x5d104 @ 0x45d104
tms_c024+0x59f87 @ 0x459f87
tms_c024+0x58cb0 @ 0x458cb0
tms_c024+0x1d3d0c @ 0x5d3d0c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636164
registers.edi: 1636352
registers.eax: 1636164
registers.ebp: 1636244
registers.edx: 0
registers.ebx: 6001548
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 1:57 p.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1717962257, next used block 12022528

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00204420

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0028ed50

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0028ed64

size

0x00000274

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

VIPRE	Gen:Variant.Midie.150929
BitDefender	Gen:Variant.Midie.150929
Cybereason	malicious.39884a
Arcabit	Trojan.Midie.D24D91
MicroWorld-eScan	Gen:Variant.Midie.150929
Emsisoft	Gen:Variant.Midie.150929 (B)
FireEye	Gen:Variant.Midie.150929
MAX	malware (ai score=83)
GData	Gen:Variant.Midie.150929

TMS_C024.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All