popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

POS_C093.exe

Malicious Library Downloader UPX MZP Format PE File dll OS Processor Check PE32 DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 19, 2024, 2:14 p.m. Aug. 19, 2024, 3:19 p.m.
Size 2.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d13c1ebc4923c0603b836f74330b78de
SHA256 9aaf9af2fc9c531bae300bcad8eb6539ffb987b9471d72ab93f39c95cdf43154
CRC32 324A22E1
ssdeep 24576:2WxRVwM76WDYveZSv9OoiPmYCDf5uK2HXpbiG9aN0F/Xaewsr1mU5H6KDtvkyDCy:RJtXzuOHJ9FDr1+KDtSM3PD
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Network_Downloader - File Downloader
  • PE_Header_Zero - PE File Signature
  • DllRegisterServer_Zero - execute regsvr32.exe
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
pos_c093+0x1520fc @ 0x5520fc
pos_c093+0x15204a @ 0x55204a
pos_c093+0x15200b @ 0x55200b
pos_c093+0x162ef9 @ 0x562ef9
pos_c093+0x166b43 @ 0x566b43
pos_c093+0x166e59 @ 0x566e59
pos_c093+0x166ff4 @ 0x566ff4
pos_c093+0x165e69 @ 0x565e69
pos_c093+0x1660a8 @ 0x5660a8
pos_c093+0x166188 @ 0x566188
pos_c093+0x168c61 @ 0x568c61
pos_c093+0x168af8 @ 0x568af8
pos_c093+0x1f0d47 @ 0x5f0d47
pos_c093+0x6a00f @ 0x46a00f
pos_c093+0x520cb @ 0x4520cb
pos_c093+0x55018 @ 0x455018
pos_c093+0x51e9b @ 0x451e9b
pos_c093+0x54b6c @ 0x454b6c
pos_c093+0x54bd7 @ 0x454bd7
pos_c093+0x55018 @ 0x455018
pos_c093+0x51e9b @ 0x451e9b
pos_c093+0x50bf4 @ 0x450bf4
pos_c093+0x1f194c @ 0x5f194c
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1636316
registers.edi: 1636504
registers.eax: 1636316
registers.ebp: 1636396
registers.edx: 0
registers.ebx: 5581564
registers.esi: 10061
registers.ecx: 7
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00770000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_CHINESE filetype dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00225bd8 size 0x000002e8
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0023fe04 size 0x00000014
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0023fe18 size 0x00000274
Bkav W32.AIDetectMalware
APEX Malicious
MaxSecure Trojan.Malware.300983.susgen
CrowdStrike win/malicious_confidence_70% (W)