popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

chrome_133.exe

Client SW User Data Stealer info stealer ftp Client Generic Malware Malicious Library UPX PWS DNS Http API Socket AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 22, 2024, 3:03 p.m. Nov. 22, 2024, 3:09 p.m.
Size 503.6KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 926dd9e88e2ac846eaf3c23ef8208cdf
SHA256 ad277a48c7c67f5510e0d2b28284f631f9e51dd7da53ed9e4da8dec0078d9aa0
CRC32 401D6E58
ssdeep 12288:sA4gyTSwAN2kL0PPJHBlOyLwFrpOu6VSlC8OIlr7v:sxgFN2kL03HlpLwFrpOu6qC83r7v
Yara
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .00cfg
section .coS
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1932
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00edd000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00330000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x00035600', u'virtual_address': u'0x00001000', u'entropy': 6.9570355128484875, u'name': u'.text', u'virtual_size': u'0x0003542c'} entropy 6.95703551285 description A section with a high entropy has been found
section {u'size_of_data': u'0x0003bc00', u'virtual_address': u'0x00043000', u'entropy': 7.999240180906577, u'name': u'.coS', u'virtual_size': u'0x0003bc00'} entropy 7.99924018091 description A section with a high entropy has been found
entropy 0.92252803262 description Overall entropy of this PE file is high
url http://localhost:9229/json
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Communications over RAW Socket rule Network_TCP_Socket
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications use DNS rule Network_DNS
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2076
process_handle: 0x0000002c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2076
process_handle: 0x0000002c
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000002c
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000040
1 0 0
Process injection Process 1932 manipulating memory of non-child process 2076
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000002c
3221225496 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $δâ8ŠÕŒkŠÕŒkŠÕŒkå£'k’ÕŒkå£k‡ÕŒkå£&k°ÕŒkƒ­k‰ÕŒkƒ­kˆÕŒk ¬j‰ÕŒkŠÕkÖՌkå£#k˜ÕŒkå£k‹ÕŒkRichŠÕŒkPEL >gà  ˜@"À°@%@`< $ä<°.textú–˜ à.rdatatµ°¶œ@@.dataì+!p R@À.reloc$] $^^@B
base_address: 0x00400000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer: \±B.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿ>™B>™B>™B>™B>™B>™B>™B>™B>™B>™BC$ÇB ÇBÇBÇBÇBÇB ÇBÇBüÆBôÆBèÆBÜÆBÔÆBÈÆBÄÆBÀÆB¼ÆB¸ÆB´ÆB°ÆB¬ÆB¨ÆB¤ÆB ÆBœÆB˜ÆBÆB„ÆB|ÆBtÆB´ÆBlÆBdÆB\ÆBPÆBHÆB<ÆB0ÆB,ÆB(ÆBÆBÆBüÅB ôÅBìÅBäÅBÜÅBÔÅBÌÅBÄÅB´ÅB¤ÅB”ÅB€ÅBlÅB\ÅBHÅB@ÅB8ÅB0ÅB(ÅB ÅBÅBÅBÅBÅBøÄBðÄBèÄBØÄBÄÄB¸ÄB¬ÄB ÅB ÄB”ÄB„ÄBpÄB`ÄBLÄB8ÄB0ÄB(ÄBÄBìÃBØÃBsCsCsCsCsCÈzC¨ÈB0ÍB°ÎBsCxtC abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXuC¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬ÊB..ÀzCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCÄzCˆCˆCˆCˆCˆCˆCˆCÈzC¨ÈBªÊB.\±B.?AVlogic_error@std@@\±B.?AVlength_error@std@@\±B.?AVout_of_range@std@@\±B.?AVexception@std@@\±B.?AVbad_alloc@std@@
base_address: 0x00437000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2112
process_handle: 0x00000040
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $δâ8ŠÕŒkŠÕŒkŠÕŒkå£'k’ÕŒkå£k‡ÕŒkå£&k°ÕŒkƒ­k‰ÕŒkƒ­kˆÕŒk ¬j‰ÕŒkŠÕkÖՌkå£#k˜ÕŒkå£k‹ÕŒkRichŠÕŒkPEL >gà  ˜@"À°@%@`< $ä<°.textú–˜ à.rdatatµ°¶œ@@.dataì+!p R@À.reloc$] $^^@B
base_address: 0x00400000
process_identifier: 2112
process_handle: 0x00000040
1 1 0
Process injection Process 1932 called NtSetContextThread to modify thread in remote process 2112
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1374388
registers.edi: 0
registers.eax: 4332992
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000044
process_identifier: 2112
1 0 0
Process injection Process 1932 resumed a thread in remote process 2112
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000044
suspend_count: 1
process_identifier: 2112
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2080
thread_handle: 0x00000020
process_identifier: 2076
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\chrome_133.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\chrome_133.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000002c
1 1 0

NtGetContextThread

 thread_handle: 0x00000020
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2076
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000002c
3221225496 0

CreateProcessInternalW

 thread_identifier: 2116
thread_handle: 0x00000044
process_identifier: 2112
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\chrome_133.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\chrome_133.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000040
1 1 0

NtGetContextThread

 thread_handle: 0x00000044
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 2424832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000040
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $δâ8ŠÕŒkŠÕŒkŠÕŒkå£'k’ÕŒkå£k‡ÕŒkå£&k°ÕŒkƒ­k‰ÕŒkƒ­kˆÕŒk ¬j‰ÕŒkŠÕkÖՌkå£#k˜ÕŒkå£k‹ÕŒkRichŠÕŒkPEL >gà  ˜@"À°@%@`< $ä<°.textú–˜ à.rdatatµ°¶œ@@.dataì+!p R@À.reloc$] $^^@B
base_address: 0x00400000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042b000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer: \±B.?AVtype_info@@Næ@»±¿D        ! 5A CPR S WY l m pr €  ‚ ƒ„ ‘)ž ¡¤ § ·Î×   “ÿÿÿÿÿÿÿÿ>™B>™B>™B>™B>™B>™B>™B>™B>™B>™BC$ÇB ÇBÇBÇBÇBÇB ÇBÇBüÆBôÆBèÆBÜÆBÔÆBÈÆBÄÆBÀÆB¼ÆB¸ÆB´ÆB°ÆB¬ÆB¨ÆB¤ÆB ÆBœÆB˜ÆBÆB„ÆB|ÆBtÆB´ÆBlÆBdÆB\ÆBPÆBHÆB<ÆB0ÆB,ÆB(ÆBÆBÆBüÅB ôÅBìÅBäÅBÜÅBÔÅBÌÅBÄÅB´ÅB¤ÅB”ÅB€ÅBlÅB\ÅBHÅB@ÅB8ÅB0ÅB(ÅB ÅBÅBÅBÅBÅBøÄBðÄBèÄBØÄBÄÄB¸ÄB¬ÄB ÅB ÄB”ÄB„ÄBpÄB`ÄBLÄB8ÄB0ÄB(ÄBÄBìÃBØÃBsCsCsCsCsCÈzC¨ÈB0ÍB°ÎBsCxtC abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZXuC¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÿÿÿÿ€ þÿÿÿ¬ÊB..ÀzCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCŒˆCÄzCˆCˆCˆCˆCˆCˆCˆCÈzC¨ÈBªÊB.\±B.?AVlogic_error@std@@\±B.?AVlength_error@std@@\±B.?AVout_of_range@std@@\±B.?AVexception@std@@\±B.?AVbad_alloc@std@@
base_address: 0x00437000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0064a000
process_identifier: 2112
process_handle: 0x00000040
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2112
process_handle: 0x00000040
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1374388
registers.edi: 0
registers.eax: 4332992
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000044
process_identifier: 2112
1 0 0

NtResumeThread

 thread_handle: 0x00000044
suspend_count: 1
process_identifier: 2112
1 0 0