Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 19, 2024, 2:02 p.m.	Aug. 19, 2024, 2:45 p.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`81ebdfd489183d94dc5b77c6e29a9876`
SHA256	`f3472e78ba72d0e383115f2ddedc40464c1bfb34cb0544b1b291c53f561ee29d`
CRC32	`B27DB832`
ssdeep	`49152:TnIET2wic782sPDgAFjjdjjA/YiY0Y0Y0Y0YI:TIOV3IgAFjjdjjA/YiY0Y0Y0Y0YI`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

POS_C014.exe "C:\Users\test22\AppData\Local\Temp\POS_C014.exe"
1664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:02 p.m.	stacktrace: pos_c014+0x15187c @ 0x55187c pos_c014+0x1517ca @ 0x5517ca pos_c014+0x15178b @ 0x55178b pos_c014+0x161e7d @ 0x561e7d pos_c014+0x165abf @ 0x565abf pos_c014+0x165dd5 @ 0x565dd5 pos_c014+0x165f86 @ 0x565f86 pos_c014+0x164dc8 @ 0x564dc8 pos_c014+0x165004 @ 0x565004 pos_c014+0x1650e4 @ 0x5650e4 pos_c014+0x1678e1 @ 0x5678e1 pos_c014+0x167784 @ 0x567784 pos_c014+0x168b47 @ 0x568b47 pos_c014+0x6a94b @ 0x46a94b pos_c014+0x529e7 @ 0x4529e7 pos_c014+0x55934 @ 0x455934 pos_c014+0x141c41 @ 0x541c41 pos_c014+0x55488 @ 0x455488 pos_c014+0x554f3 @ 0x4554f3 pos_c014+0x55934 @ 0x455934 pos_c014+0x141c41 @ 0x541c41 pos_c014+0x51510 @ 0x451510 pos_c014+0x1698c4 @ 0x5698c4 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1636380 registers.edi: 1636568 registers.eax: 1636380 registers.ebp: 1636460 registers.edx: 0 registers.ebx: 5578708 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 2:02 p.m.

stacktrace:

pos_c014+0x15187c @ 0x55187c
pos_c014+0x1517ca @ 0x5517ca
pos_c014+0x15178b @ 0x55178b
pos_c014+0x161e7d @ 0x561e7d
pos_c014+0x165abf @ 0x565abf
pos_c014+0x165dd5 @ 0x565dd5
pos_c014+0x165f86 @ 0x565f86
pos_c014+0x164dc8 @ 0x564dc8
pos_c014+0x165004 @ 0x565004
pos_c014+0x1650e4 @ 0x5650e4
pos_c014+0x1678e1 @ 0x5678e1
pos_c014+0x167784 @ 0x567784
pos_c014+0x168b47 @ 0x568b47
pos_c014+0x6a94b @ 0x46a94b
pos_c014+0x529e7 @ 0x4529e7
pos_c014+0x55934 @ 0x455934
pos_c014+0x141c41 @ 0x541c41
pos_c014+0x55488 @ 0x455488
pos_c014+0x554f3 @ 0x4554f3
pos_c014+0x55934 @ 0x455934
pos_c014+0x141c41 @ 0x541c41
pos_c014+0x51510 @ 0x451510
pos_c014+0x1698c4 @ 0x5698c4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1636380
registers.edi: 1636568
registers.eax: 1636380
registers.ebp: 1636460
registers.edx: 0
registers.ebx: 5578708
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:02 p.m.	process_identifier: 1664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1717962257, next used block 12022528

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001963a4

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00221db4

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00221dc8

size

0x00000274

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Bkav	W32.AIDetectMalware
Kingsoft	malware.kb.a.873
TrendMicro-HouseCall	TROJ_GEN.R002V01K623

POS_C014.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All