Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 16, 2024, 3:40 p.m.	Oct. 16, 2024, 3:42 p.m.

Size	933.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`c3509310546d5a0de9f11fefe3410a9e`
SHA256	`aff388f01d5aa3eaa64d4c3b4e389337e45fad2cc13c1671b0e9c27bf16c195d`
CRC32	`BB0DBA81`
ssdeep	`12288:uWNHRVEfTKybMJmBZWpS2FURq7gW5QNhi/CgU9oB8HBtKlmU888888888888W88c:1RRQTKwMJmTDkMW5QNg/CgBB8H3a`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

WebMailTester.exe "C:\Users\test22\AppData\Local\Temp\WebMailTester.exe"
204

Name	Response	Post-Analysis Lookup
smtp

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 3:20 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 16, 2024, 3:20 p.m.	stacktrace: webmailtester+0x82710 @ 0x482710 webmailtester+0x80fd6 @ 0x480fd6 webmailtester+0x822ad @ 0x4822ad webmailtester+0x9e1b2 @ 0x49e1b2 webmailtester+0xb7a5e @ 0x4b7a5e webmailtester+0x9d941 @ 0x49d941 webmailtester+0xa06d5 @ 0x4a06d5 webmailtester+0xbd52e @ 0x4bd52e webmailtester+0x550f1 @ 0x4550f1 webmailtester+0x5908c @ 0x45908c webmailtester+0x3e391 @ 0x43e391 webmailtester+0x591dc @ 0x4591dc webmailtester+0x5908c @ 0x45908c webmailtester+0x6bf75 @ 0x46bf75 webmailtester+0x587a3 @ 0x4587a3 webmailtester+0x24656 @ 0x424656 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7573965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x757396c5 GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x745f4601 GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x745f4663 GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x745f44ed gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75740d4d webmailtester+0x59188 @ 0x459188 webmailtester+0x5908c @ 0x45908c webmailtester+0x3e391 @ 0x43e391 webmailtester+0x24656 @ 0x424656 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7573965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x757396c5 DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x74594136 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27 CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75740d4d webmailtester+0x59188 @ 0x459188 webmailtester+0x5908c @ 0x45908c webmailtester+0x3e391 @ 0x43e391 webmailtester+0x24656 @ 0x424656 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75736de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75736e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7748011a PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x75740751 webmailtester+0x744d1 @ 0x4744d1 webmailtester+0xc038f @ 0x4c038f BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 1633736 registers.edi: 11001 registers.eax: 1633736 registers.ebp: 1633816 registers.edx: 0 registers.ebx: 4716704 registers.esi: 32670400 registers.ecx: 7	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2024, 3:20 p.m.

stacktrace:

webmailtester+0x82710 @ 0x482710
webmailtester+0x80fd6 @ 0x480fd6
webmailtester+0x822ad @ 0x4822ad
webmailtester+0x9e1b2 @ 0x49e1b2
webmailtester+0xb7a5e @ 0x4b7a5e
webmailtester+0x9d941 @ 0x49d941
webmailtester+0xa06d5 @ 0x4a06d5
webmailtester+0xbd52e @ 0x4bd52e
webmailtester+0x550f1 @ 0x4550f1
webmailtester+0x5908c @ 0x45908c
webmailtester+0x3e391 @ 0x43e391
webmailtester+0x591dc @ 0x4591dc
webmailtester+0x5908c @ 0x45908c
webmailtester+0x6bf75 @ 0x46bf75
webmailtester+0x587a3 @ 0x4587a3
webmailtester+0x24656 @ 0x424656
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7573965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x757396c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x745f4601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x745f4663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x745f44ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75740d4d
webmailtester+0x59188 @ 0x459188
webmailtester+0x5908c @ 0x45908c
webmailtester+0x3e391 @ 0x43e391
webmailtester+0x24656 @ 0x424656
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x7573965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x757396c5
DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x74594136
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x75740d4d
webmailtester+0x59188 @ 0x459188
webmailtester+0x5908c @ 0x45908c
webmailtester+0x3e391 @ 0x43e391
webmailtester+0x24656 @ 0x424656
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75736de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75736e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x7748011a
PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x75740751
webmailtester+0x744d1 @ 0x4744d1
webmailtester+0xc038f @ 0x4c038f
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 1633736
registers.edi: 11001
registers.eax: 1633736
registers.ebp: 1633816
registers.edx: 0
registers.ebx: 4716704
registers.esi: 32670400
registers.ecx: 7

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2024, 3:20 p.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74192000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 3:20 p.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 3:20 p.m.	process_identifier: 204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ed3000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 3:20 p.m.	process_identifier: 204 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Foreign language identified in PE resource (3 events)

name

RT_ICON

language

LANG_KOREAN

filetype

dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 16777215, next used block 16777215

sublanguage

SUBLANG_KOREAN

offset

0x000e11f0

size

0x00004228

name

RT_GROUP_ICON

language

LANG_KOREAN

filetype

data

sublanguage

SUBLANG_KOREAN

offset

0x000f3774

size

0x00000014

name

RT_MANIFEST

language

LANG_KOREAN

filetype

XML 1.0 document, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_KOREAN

offset

0x000f3788

size

0x00000352

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Rising	Trojan.Generic@AI.92 (RDML:nJx+mZKnaLR6jsBqppgMjg)
MaxSecure	Trojan.Malware.300983.susgen

WebMailTester.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All