Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:07 p.m.	Aug. 19, 2024, 2:55 p.m.

Size	1.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1ccf158942cdc89a6b0a2889b8448497`
SHA256	`678b1a589daa201b21e993e098e32927c190fe143a545b5d95a2f8d508285a73`
CRC32	`7BFFA687`
ssdeep	`24576:LKmQaAsIBb8/ShhGz4zxdZ9IPlRg4itiLR3+VA5uxWg5MCgym4PD:LWA+x/mHi8oR55PD`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

POS_C081.exe "C:\Users\test22\AppData\Local\Temp\POS_C081.exe"
2664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 19, 2024, 2:07 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:07 p.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 19, 2024, 2:07 p.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00178ab8

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001911a4

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001911b8

size

0x00000274

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

ALYac	Gen:Variant.Midie.150934
VIPRE	Gen:Variant.Midie.150934
BitDefender	Gen:Variant.Midie.150934
Cybereason	malicious.942cdc
Arcabit	Trojan.Midie.D24D96
MicroWorld-eScan	Gen:Variant.Midie.150934
Emsisoft	Gen:Variant.Midie.150934 (B)
FireEye	Gen:Variant.Midie.150934
MAX	malware (ai score=87)
GData	Gen:Variant.Midie.150934

POS_C081.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All