popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

2.exe

Generic Malware Malicious Library UPX PE64 PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 27, 2024, 3:08 p.m. Aug. 27, 2024, 3:20 p.m.
Size 12.0MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 31fa727012b592325d876a801c0f1f83
SHA256 fe0965800533b6d93753714bb0a1a3477aff042bdb7f30eaef5cbd330cc35fce
CRC32 689E13A2
ssdeep 196608:3fumRpHuCZ2NTHB201FsLQe5P9YYg0JblcmHGsQZkNRHEA8M2hjieL0+oFN+yCCD:PDBuCsNTHM016FPCYg0JBcGQGNxt8hTk
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
bitbucket.org
A 104.192.140.24
A 104.192.140.25
A 104.192.140.26
104.192.140.26
pool.hashvault.pro
A 131.153.76.130
A 125.253.92.50
125.253.92.50
IP Address Status Action
104.192.140.26 Active Moloch
131.153.76.130 Active Moloch
164.124.101.2 Active Moloch

pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
section .didat
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
1+0x2b0a1 @ 0xcab0a1
1+0x2d90b @ 0xcad90b
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 03 51 3c 89 55 dc c7 85 b0 fe ff ff 01 00 00 00
exception.symbol: 1+0xf888
exception.instruction: add edx, dword ptr [ecx + 0x3c]
exception.module: 1.exe
exception.exception_code: 0xc0000005
exception.offset: 63624
exception.address: 0xc8f888
registers.esp: 2735896
registers.edi: 0
registers.eax: 2482225828
registers.ebp: 2746392
registers.edx: 0
registers.ebx: 2746404
registers.esi: 1
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72dd2000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\3.exe
file C:\Users\test22\AppData\Roaming\1.exe
file C:\Users\test22\AppData\Roaming\2.exe
file C:\Users\test22\AppData\Roaming\1.exe
file C:\Users\test22\AppData\Roaming\2.exe
file C:\Users\test22\AppData\Roaming\3.exe
file C:\Users\test22\AppData\Roaming\1.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA Share reg_value C:\Users\test22\AppData\Roaming\ServiceAmd\3.exe
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Miner.4!c
Cynet Malicious (score: 99)
McAfee Artemis!31FA727012B5
ALYac Gen:Variant.Jaik.217886
Cylance Unsafe
Sangfor Trojan.Win64.Agent.Vlxd
K7AntiVirus Trojan ( 005a508c1 )
K7GW Trojan ( 005a508c1 )
Cybereason malicious.012b59
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
ESET-NOD32 multiple detections
Paloalto generic.ml
ClamAV Win.Packed.Bladabindi-10017056-0
MicroWorld-eScan Gen:Variant.Jaik.217886
F-Secure Trojan.TR/AVI.Lumma.qvknn
McAfeeD ti!FE0965800533
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious SFX
Webroot Trojan.Dropper.Gen
Google Detected
Avira TR/AVI.Lumma.qvknn
Antiy-AVL Trojan[Banker]/Win32.ClipBanker
Gridinsoft Trojan.Win64.CoinMiner.sa
Microsoft Trojan:Win64/XMRig!pz
Varist W32/ABRisk.KASG-6017
DeepInstinct MALICIOUS
VBA32 BScope.TrojanDownloader.Upatre
Malwarebytes Crypt.Trojan.MSIL.DDS
Ikarus Trojan.Win64.Bladabindi
huorong TrojanDropper/W64.Agent.y
Fortinet W64/GenKryptik.GIIA!tr
CrowdStrike win/malicious_confidence_90% (W)
alibabacloud Miner:Multi/XMRig.CWZB3DGW