popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

IMG1202400210015.vbs

UPX Malicious Library MZP Format PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 16, 2024, 3:37 p.m. Oct. 16, 2024, 3:40 p.m.
Size 1.9MB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 f8dc85f113c802a5e8d7da5cf5da5aa2
SHA256 23646cdad8463fbe392252631abda70b5281b3f4b449aed5c0b2f5cbc9a36989
CRC32 A4BDA794
ssdeep 24576:h5lnPpBajS+rP4i79op+dWOp64CcItmkBxsadV0pqfJykm4SrpFaMNkNl+p1BmlD:h8J7U+dYTxsnqaCN3xw8tQ4nWy
Yara None matched

Name Response Post-Analysis Lookup
bitbucket.org
A 104.192.140.24
A 104.192.140.25
A 104.192.140.26
104.192.140.24
IP Address Status Action
104.192.140.25 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49164 -> 104.192.140.25:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x368768a
0x36876bd
0x36875d8
0x367e498
0x3692577
0x369c358
DriverCallback+0x4e waveOutOpen-0xa2e winmm+0x3af0 @ 0x73973af0
timeEndPeriod+0x54a timeKillEvent-0x57 winmm+0xa535 @ 0x7397a535
timeEndPeriod+0x449 timeKillEvent-0x158 winmm+0xa434 @ 0x7397a434
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 560520548
registers.edi: 1
registers.eax: 560520548
registers.ebp: 560520628
registers.edx: 0
registers.ebx: 560522352
registers.esi: 559396592
registers.ecx: 7
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742f2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2184
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 999999
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495644
process_handle: 0xffffffff
3221225496 0
file C:\Users\test22\AppData\Local\Temp\x.exe
file C:\Users\test22\AppData\Local\Temp\x.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 180224
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x03671000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2184
stack_dep_bypass: 1
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x2168e000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002d0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
file C:\Users\test22\AppData\Local\Temp\x.exe
Process injection Process 2184 manipulating memory of non-child process 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x03671000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x0369d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x0369e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x036f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x037ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0

NtAllocateVirtualMemory

 process_identifier: 0
region_size: 500000000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x037ee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000000
3221225480 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002d0
regkey_r: ProxyOverride
reg_type: 1 (REG_SZ)
value: 127.0.0.1:16107;
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
1 0 0
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\x.exe"
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\x.exe
CTX vba.dropper.generic
Skyhigh BehavesLike.VBS.Dropper.tp
ALYac GT:VB.AgentTesla.4.56A700B4
VIPRE GT:VB.AgentTesla.4.56A700B4
Arcabit GT:VB.AgentTesla.4.56A700B4
Symantec ISB.Dropper!gen1
ESET-NOD32 VBS/TrojanDropper.Agent.PIZ
TrendMicro-HouseCall Backdoor.VBS.REMCOS.YXEJOZ
Avast Script:SNH-gen [Trj]
BitDefender GT:VB.AgentTesla.4.56A700B4
MicroWorld-eScan GT:VB.AgentTesla.4.56A700B4
Rising Dropper.Agent/VBS!1.F4C6 (CLASSIC)
Emsisoft GT:VB.AgentTesla.4.56A700B4 (B)
TrendMicro Backdoor.VBS.REMCOS.YXEJOZ
Ikarus Win32.Outbreak
FireEye GT:VB.AgentTesla.4.56A700B4
Google Detected
Kingsoft Script.Trojan-Dropper.Generic.a
Microsoft Trojan:Script/GuLoader.RP!MTB
GData GT:VB.AgentTesla.4.56A700B4
Varist ABApplication.KF
Yandex Trojan.Etecer.b3aNRz.27
AVG Script:SNH-gen [Trj]
alibabacloud Trojan[dropper]:Win/GuLoader.RX8PHU
file C:\Users\test22\AppData\Local\Temp\x.exe