Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 18, 2025, 5:33 p.m.	Feb. 18, 2025, 5:37 p.m.

Size	4.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`454202e31bcf6ecb61ba74a4fd450b5e`
SHA256	`0c0e82d83e6408aaccc62261cdb246871c26767dd1728367c68a5537f94c334f`
CRC32	`C47292BA`
ssdeep	`98304:ZOONMFaUy/kuTICGYD48PHZv2bTjqVih/:ZNMFav/kUI5YDBP7e/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

dlaos.exe "C:\Users\test22\AppData\Local\Temp\dlaos.exe"
2584
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.143.228.176	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 13, 2025, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 13, 2025, 9:40 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 13, 2025, 9:39 a.m.	process_identifier: 2584 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2025, 9:39 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2025, 9:39 a.m.	process_identifier: 2584 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2025, 9:39 a.m.	process_identifier: 2584 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2025, 9:39 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f2f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2025, 9:40 a.m.	process_identifier: 2584 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 13, 2025, 9:40 a.m.	process_identifier: 2584 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 1130496 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01250000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2025, 9:40 a.m.	process_identifier: 2584 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x037b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 13, 2025, 9:33 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Steals private information from local Internet browsers (18 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Browser
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Secure Preferences

Foreign language identified in PE resource (6 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0022a530

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0022a530

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0022a530

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0022a530

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0022a530

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00498c60

size

0x0000004c

Creates executable files on the filesystem (14 events)

file	C:\ProgramData\WebView2CacheTmp\handle-main-world.93005d24.js
file	C:\ProgramData\WebView2CacheTmp\tracktor.39faf6eb.js
file	C:\ProgramData\WebView2CacheTmp\popup.100f6462.js
file	C:\ProgramData\WebView2CacheTmp\any-url-query-text.8d96bb67.js
file	C:\ProgramData\WebView2CacheTmp\static\background\index.js
file	C:\ProgramData\WebView2CacheTmp\script-injector.92f3fc68.js
file	C:\ProgramData\WebView2CacheTmp\grabber.e414ca58.js
file	C:\ProgramData\WebView2CacheTmp\contents.d42e7fcf.js
file	C:\ProgramData\WebView2CacheTmp\hides.19587cd2.js
file	C:\ProgramData\WebView2CacheTmp\redirect.aba114e6.js
file	C:\ProgramData\WebView2CacheTmp\iframe.739970f9.js
file	C:\ProgramData\WebView2CacheTmp\main-world.af72fae2.js
file	C:\ProgramData\WebView2CacheTmp\client-hub-main-world.26398054.js
file	C:\ProgramData\WebView2CacheTmp\porter.66760f70.js

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (28 events)

Time & API	Arguments	Status	Return
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: smss.exe process_identifier: 224	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 988	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: taskhost.exe process_identifier: 2368	1	1
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: dlaos.exe process_identifier: 2584	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x001f5e00', u'virtual_address': u'0x00001000', u'entropy': 7.660133426329825, u'name': u'CODE', u'virtual_size': u'0x001f5da8'}

entropy

7.66013342633

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0028a000', u'virtual_address': u'0x0020f000', u'entropy': 6.960482762351742, u'name': u'.rsrc', u'virtual_size': u'0x0028a000'}

entropy

6.96048276235

description

A section with a high entropy has been found

entropy

0.985456100952

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (20 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000110 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000114 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000118 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x0000011c process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000120 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000124 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000128 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x0000012c process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000130 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000134 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000138 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x0000013c process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000140 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000144 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000148 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x0000014c process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000150 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000154 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x00000158 process_name: dlaos.exe process_identifier: 2584		0	0
Process32NextW Feb. 13, 2025, 9:39 a.m.	snapshot_handle: 0x0000015c process_name: dlaos.exe process_identifier: 2584		0	0

Communicates with host for which no DNS query was performed (1 event)

host

185.143.228.176

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.Win32.Delf.4!c
CAT-QuickHeal	Trojan.Ghanarava.1739423360450b5e
Skyhigh	BehavesLike.Win32.Dropper.rc
McAfee	Artemis!454202E31BCF
Cylance	Unsafe
VIPRE	Gen:Variant.Midie.161488
Sangfor	Trojan.Win32.Agent.Aq8i
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Midie.161488
Arcabit	Trojan.Midie.D276D0
VirIT	Trojan.Win32.DelphGen.HSL
Symantec	Trojan Horse
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
Kaspersky	Trojan.Win32.Delf.tmeg
Alibaba	Trojan:Win32/MalwareX.f9d341dd
NANO-Antivirus	Trojan.Win32.Upatre.kvojck
MicroWorld-eScan	Gen:Variant.Midie.161488
Rising	Downloader.Upatre!8.B5 (TFE:5:HvpiY4d6uRC)
Emsisoft	Gen:Variant.Midie.161488 (B)
TrendMicro	TROJ_GEN.R002C0DBH25
McAfeeD	ti!0C0E82D83E64
CTX	exe.trojan.delf
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
FireEye	Gen:Variant.Midie.161488
Google	Detected
Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Midie!MTB
GData	Gen:Variant.Midie.161488
Varist	W32/ABRisk.RBQA-6072
AhnLab-V3	Malware/Win.Generic.C5729362
VBA32	TScope.Trojan.Delf
DeepInstinct	MALICIOUS
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	TROJ_GEN.R002C0DBH25
MaxSecure	Trojan.Malware.324988187.susgen
Fortinet	W32/PossibleThreat
AVG	Win32:MalwareX-gen [Trj]
Paloalto	generic.ml

dlaos.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All