Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 27, 2025, 9:18 a.m.	Feb. 27, 2025, 9:20 a.m.

Size	949.9KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5f41899fe8f7801b20885898e0f4c05a`
SHA256	`62f7943a38968bc1d92d0ea08c185bf01b6a8daf5812bb30e25899b9ada0daed`
CRC32	`2BB9B24D`
ssdeep	`24576:vnvJUgT/3hRWpul04R3qO/hCwZWHGIEIPURoWuVT:vvygTffWMlH6otkGI9sLuF`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) mzp_file_format - MZP(Delphi) file format UPX_Zero - UPX packed file

coinbase.exe "C:\Users\test22\AppData\Local\Temp\coinbase.exe"
776
- coinbase.tmp "C:\Users\test22\AppData\Local\Temp\is-KDSR0.tmp\coinbase.tmp" /SL5="$30028,721126,73216,C:\Users\test22\AppData\Local\Temp\coinbase.exe"
  2128
  - coinbase.exe "C:\Users\test22\AppData\Local\Temp\coinbase.exe" /VERYSILENT
    2224
    - coinbase.tmp "C:\Users\test22\AppData\Local\Temp\is-81201.tmp\coinbase.tmp" /SL5="$40028,721126,73216,C:\Users\test22\AppData\Local\Temp\coinbase.exe" /VERYSILENT
      2272
      - regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\netapi32_2.ocx"
        2332

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Feb. 27, 2025, 9:18 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 27, 2025, 9:18 a.m.			0	0
IsDebuggerPresent Feb. 27, 2025, 9:18 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 27, 2025, 9:18 a.m.	stacktrace: coinbase+0x807a1 @ 0x4807a1 coinbase+0x986ab @ 0x4986ab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedface exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1637928 registers.edi: 4523196 registers.eax: 1637928 registers.ebp: 1638008 registers.edx: 0 registers.ebx: 0 registers.esi: 2 registers.ecx: 7	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 2128 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 27, 2025, 9:18 a.m.	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-EJ99J.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-EJ99J.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\is-32AEQ.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\is-32AEQ.tmp\_isetup\_shfoldr.dll

Creates a suspicious process (1 event)

cmdline

"regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\netapi32_2.ocx"

Drops an executable to the user AppData folder (4 events)

file	C:\Users\test22\AppData\Local\Temp\is-KDSR0.tmp\coinbase.tmp
file	C:\Users\test22\AppData\Local\Temp\is-EJ99J.tmp\_isetup\_RegDLL.tmp
file	C:\Users\test22\AppData\Local\Temp\is-EJ99J.tmp\_isetup\_isdecmp.dll
file	C:\Users\test22\AppData\Local\Temp\is-EJ99J.tmp\_isetup\_shfoldr.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Feb. 27, 2025, 9:18 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\coinbase.exe parameters: /VERYSILENT filepath: C:\Users\test22\AppData\Local\Temp\coinbase.exe	1	1	0

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA Feb. 27, 2025, 9:18 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1	2
RegOpenKeyExA Feb. 27, 2025, 9:18 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1	2
RegOpenKeyExA Feb. 27, 2025, 9:18 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1	2
RegOpenKeyExA Feb. 27, 2025, 9:18 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Elated Kangaroo_is1	2

File has been identified by 22 AntiVirus engines on VirusTotal as malicious (22 events)

Lionic	Trojan.Win32.Gatak.4!c
Skyhigh	BehavesLike.Win32.ObfuscatedPoly.dc
CrowdStrike	win/grayware_confidence_90% (W)
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/GenKryptik_AGen.AYM
Avast	Win32:CrypterX-gen [Trj]
Kaspersky	UDS:Trojan.Win32.Gatak.frt
Alibaba	Trojan:Win32/GenKryptik.995ed40f
Rising	Trojan.Kryptik!8.8 (CLOUD)
Zillya	Trojan.Gatak.Win32.419
McAfeeD	ti!62F7943A3896
Sophos	Mal/Generic-S
Google	Detected
Microsoft	Trojan:Win32/Wacatac.B!ml
Varist	W32/InstallMonster.GQ.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R692554
McAfee	Artemis!5F41899FE8F7
DeepInstinct	MALICIOUS
Ikarus	Win32.Outbreak
Panda	Trj/Genetic.gen
AVG	Win32:CrypterX-gen [Trj]
Paloalto	generic.ml

coinbase.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All