Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 19, 2024, 2:08 p.m.	Aug. 19, 2024, 3:10 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3b8bb2df50ce9e36afc960a3b5bc463f`
SHA256	`9f4be8a53daefae9d731557d237c3a213efbbe8412722db3f4cd99339fae057c`
CRC32	`69334C7E`
ssdeep	`49152:s1F448KOFqV3Du+lEmsJP70nlJPDB7AFjjdjjA/YiY0Y0Y0Y0YI:sL44FUqfIJP7GB7AFjjdjjA/YiY0Y0Ys`
Yara	Malicious_Library_Zero - Malicious_Library Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

POS_C159.exe "C:\Users\test22\AppData\Local\Temp\POS_C159.exe"
2644

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 19, 2024, 2:08 p.m.	stacktrace: pos_c159+0x1b10c8 @ 0x5b10c8 pos_c159+0x1b1016 @ 0x5b1016 pos_c159+0x1b0fd7 @ 0x5b0fd7 pos_c159+0x1c16c9 @ 0x5c16c9 pos_c159+0x1c530b @ 0x5c530b pos_c159+0x1c5621 @ 0x5c5621 pos_c159+0x1c57d2 @ 0x5c57d2 pos_c159+0x1c4614 @ 0x5c4614 pos_c159+0x1c4850 @ 0x5c4850 pos_c159+0x1c4930 @ 0x5c4930 pos_c159+0x1c712d @ 0x5c712d pos_c159+0x1c6fd0 @ 0x5c6fd0 pos_c159+0x1c8f47 @ 0x5c8f47 pos_c159+0x6864f @ 0x46864f pos_c159+0x5070b @ 0x45070b pos_c159+0x53658 @ 0x453658 pos_c159+0x1a148d @ 0x5a148d pos_c159+0x531ac @ 0x4531ac pos_c159+0x53217 @ 0x453217 pos_c159+0x53658 @ 0x453658 pos_c159+0x1a148d @ 0x5a148d pos_c159+0x4f204 @ 0x44f204 pos_c159+0x1cbe18 @ 0x5cbe18 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 1636316 registers.edi: 1636504 registers.eax: 1636316 registers.ebp: 1636396 registers.edx: 0 registers.ebx: 5969952 registers.esi: 10061 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 19, 2024, 2:08 p.m.

stacktrace:

pos_c159+0x1b10c8 @ 0x5b10c8
pos_c159+0x1b1016 @ 0x5b1016
pos_c159+0x1b0fd7 @ 0x5b0fd7
pos_c159+0x1c16c9 @ 0x5c16c9
pos_c159+0x1c530b @ 0x5c530b
pos_c159+0x1c5621 @ 0x5c5621
pos_c159+0x1c57d2 @ 0x5c57d2
pos_c159+0x1c4614 @ 0x5c4614
pos_c159+0x1c4850 @ 0x5c4850
pos_c159+0x1c4930 @ 0x5c4930
pos_c159+0x1c712d @ 0x5c712d
pos_c159+0x1c6fd0 @ 0x5c6fd0
pos_c159+0x1c8f47 @ 0x5c8f47
pos_c159+0x6864f @ 0x46864f
pos_c159+0x5070b @ 0x45070b
pos_c159+0x53658 @ 0x453658
pos_c159+0x1a148d @ 0x5a148d
pos_c159+0x531ac @ 0x4531ac
pos_c159+0x53217 @ 0x453217
pos_c159+0x53658 @ 0x453658
pos_c159+0x1a148d @ 0x5a148d
pos_c159+0x4f204 @ 0x44f204
pos_c159+0x1cbe18 @ 0x5cbe18
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1636316
registers.edi: 1636504
registers.eax: 1636316
registers.ebp: 1636396
registers.edx: 0
registers.ebx: 5969952
registers.esi: 10061
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 19, 2024, 2:08 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_CHINESE

filetype

dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x001fc424

size

0x000002e8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00291f98

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00291fac

size

0x00000274

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

ALYac	Gen:Variant.Strictor.291372
VIPRE	Gen:Variant.Strictor.291372
BitDefender	Gen:Variant.Strictor.291372
Cybereason	malicious.f50ce9
Arcabit	Trojan.Strictor.D4722C
MicroWorld-eScan	Gen:Variant.Strictor.291372
Emsisoft	Gen:Variant.Strictor.291372 (B)
FireEye	Gen:Variant.Strictor.291372
MAX	malware (ai score=89)
GData	Gen:Variant.Strictor.291372

POS_C159.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All