popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

13Z5sqy.exe

Generic Malware Malicious Library UPX Malicious Packer Code injection DGA HTTP ScreenShot KeyLogger Http API Internet API PE File dll OS Processor Check PE32 AntiVM AntiDebug DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Feb. 11, 2025, 1:27 p.m. Feb. 11, 2025, 1:29 p.m.
Size 9.8MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 db3632ef37d9e27dfa2fd76f320540ca
SHA256 0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d
CRC32 C63FB669
ssdeep 98304:IWlC18CzkF6kJdZi/lBMoo6Yc3A2o5APDm5:PlW1BMoOED
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • DllRegisterServer_Zero - execute regsvr32.exe
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
url http://ns.adobe.com/xap/1.0/mm/
url http://ns.adobe.com/xap/1.0/sType/ResourceRef
url http://ns.adobe.com/xap/1.0/
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Communications over HTTP rule Network_HTTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Match Windows Inet API call rule Str_Win32_Internet_API
description Run a KeyLogger rule KeyLogger
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 364544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
1 0 0
Process injection Process 884 called NtSetContextThread to modify thread in remote process 2552
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4227968
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000114
process_identifier: 2552
1 0 0
Process injection Process 884 resumed a thread in remote process 2552
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000114
suspend_count: 1
process_identifier: 2552
1 0 0
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0018fe29
function_name: wine_get_version
module: ntdll
module_address: 0x778a0000
3221225785 0
Time & API Arguments Status Return Repeated

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x00000100
1 0 0

NtResumeThread

 thread_handle: 0x00000100
suspend_count: 1
process_identifier: 884
1 0 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath: C:\Windows\Boot\PCAT\memtest.exe
track: 0
command_line:
filepath_r: C:\Windows\Boot\PCAT\memtest.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000
0 0

NtGetContextThread

 thread_handle: 0x00000110
1 0 0

NtResumeThread

 thread_handle: 0x00000110
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4612400
registers.esp: 186324416
registers.edi: 0
registers.eax: 0
registers.ebp: 86194
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4612400
registers.esp: 186324416
registers.edi: 0
registers.eax: 0
registers.ebp: 185030
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4612400
registers.esp: 186324416
registers.edi: 0
registers.eax: 0
registers.ebp: 265526
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4612400
registers.esp: 186324416
registers.edi: 0
registers.eax: 0
registers.ebp: 300391
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtSetContextThread

 registers.eip: 4612400
registers.esp: 186324416
registers.edi: 0
registers.eax: 0
registers.ebp: 311810
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 884
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000010c
1 0 0

NtResumeThread

 thread_handle: 0x0000010c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x00000114
1 0 0

NtResumeThread

 thread_handle: 0x00000114
suspend_count: 1
process_identifier: 884
1 0 0

CreateProcessInternalW

 thread_identifier: 2556
thread_handle: 0x00000114
process_identifier: 2552
current_directory:
filepath: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744CAF070E41400\15.7.20033\AcroRd32.exe
track: 1
command_line:
filepath_r: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA7FFFFB744CAF070E41400\15.7.20033\AcroRd32.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000100
1 1 0

NtGetContextThread

 thread_handle: 0x00000114
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 364544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000100
1 0 0

NtGetContextThread

 thread_handle: 0x00000120
1 0 0

NtResumeThread

 thread_handle: 0x00000120
suspend_count: 1
process_identifier: 884
1 0 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4227968
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000114
process_identifier: 2552
1 0 0

NtGetContextThread

 thread_handle: 0x0000011c
1 0 0

NtResumeThread

 thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000011c
1 0 0

NtResumeThread

 thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 884
1 0 0

NtGetContextThread

 thread_handle: 0x0000011c
1 0 0

NtResumeThread

 thread_handle: 0x0000011c
suspend_count: 1
process_identifier: 884
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Encoder.tsd0
CAT-QuickHeal Trojan.Inject
Skyhigh Artemis!Trojan
McAfee Artemis!DB3632EF37D9
Cylance Unsafe
VIPRE Trojan.GenericKD.75591883
Sangfor Dropper.Win32.Inject.Vtwt
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.75591883
K7GW Trojan ( 005b9b2a1 )
K7AntiVirus Trojan ( 005b9b2a1 )
Arcabit Trojan.Generic.D48170CB
VirIT Trojan.Win32.Genus.XMP
Symantec Trojan Horse
Elastic malicious (high confidence)
ESET-NOD32 a variant of WinGo/TrojanDropper.Agent.EK
Avast Win32:Malware-gen
Kaspersky Trojan.Win32.Inject.aqieu
Alibaba TrojanDropper:Win32/Inject.62bec01a
MicroWorld-eScan Trojan.GenericKD.75591883
Rising Trojan.ShellCodeRunner!1.12748 (CLASSIC)
Emsisoft Trojan.GenericKD.75591883 (B)
F-Secure Trojan.TR/Injector.cvukx
DrWeb Trojan.PWS.Lumma.1689
Zillya Dropper.Agent.Win32.623856
TrendMicro Trojan.Win32.AMADEY.YXFAZZ
McAfeeD ti!0513F12C182A
Trapmine suspicious.low.ml.score
CTX exe.trojan.inject
Sophos Mal/Generic-S
FireEye Trojan.GenericKD.75591883
Jiangmin Trojan.PSW.Raccoon.bt
Google Detected
Avira TR/Injector.cvukx
Antiy-AVL Trojan/Win32.Inject
Kingsoft Win32.Trojan.Inject.pef
Microsoft Trojan:Win32/Wacatac.B!ml
ViRobot Trojan.Win.Z.Inject.10302976
GData Trojan.GenericKD.75591883
Varist W32/ABTrojan.QTAR-2884
AhnLab-V3 Trojan/Win.Malware-gen.C5722524
VBA32 BScope.TrojanPSW.Agent
DeepInstinct MALICIOUS
Malwarebytes Trojan.Injector
Ikarus Trojan-Dropper.WinGo.Agent
Panda Trj/Chgt.AD
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXFAZZ
Tencent Win32.Trojan.Inject.Pzfl
huorong Trojan/Generic!E2D65DD360FB86AD