popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

casos.exe

Formbook Process Kill Generic Malware FindFirstVolume Malicious Library CryptGenKey
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 21, 2025, 9:09 a.m. March 21, 2025, 9:24 a.m.
Size 1.1MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7e45d87c02e2f5736fb0bf91f0b5b71f
SHA256 edf37e0bd0e1f17910a8d4a30b8e1991ac38dc00bce926262309d1d061e981fd
CRC32 48F78CB7
ssdeep 24576:8u6J33O0c+JY5UZ+XC0kGso6FanUb5URTL3pxAmWY:mu0c++OCvkGs9FanqMTjAY
Yara
  • Malicious_Library_Zero - Malicious_Library
  • Process_Snapshot_Kill_Zero - Process Kill Zero
  • PE_Header_Zero - PE File Signature
  • FindFirstVolume_Zero - FindFirstVolume Zero
  • CryptGenKey_Zero - CryptGenKey Zero
  • Device_Check_Zero - Device Check Zero
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49191 -> 13.248.243.5:80 2221033 SURICATA HTTP Request abnormal Content-Encoding header Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a4f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2728
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description calc.exe tried to sleep 162 seconds, actually delayed analysis time by 162 seconds
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
section {u'size_of_data': u'0x0005a200', u'virtual_address': u'0x000c7000', u'entropy': 7.8924406416381885, u'name': u'.rsrc', u'virtual_size': u'0x0005a10c'} entropy 7.89244064164 description A section with a high entropy has been found
entropy 0.310374515712 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2636
thread_handle: 0x0000013c
process_identifier: 2632
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\casos.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000138
1 1 0
file C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file C:\Users\test22\AppData\Local\AVG\Browser\User Data
Process injection Process 2540 called NtSetContextThread to modify thread in remote process 2632
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2095604
registers.edi: 0
registers.eax: 4199360
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000013c
process_identifier: 2632
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.AutoIt.4!c
Cynet Malicious (score: 99)
CAT-QuickHeal TrojanPWS.AutoIt.Zbot.S
Skyhigh BehavesLike.Win32.Formbook.tc
ALYac Trojan.GenericKD.76086617
Cylance Unsafe
VIPRE Trojan.GenericKD.76086617
Sangfor Virus.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Trojan.GenericKD.76086617
K7GW Trojan ( 005c2f651 )
K7AntiVirus Trojan ( 005c2f651 )
Arcabit Trojan.Generic.D488FD59
VirIT Trojan.Win32.AutoIt_Heur.L
Symantec Trojan.Malautoit!g7
Elastic malicious (high confidence)
ESET-NOD32 multiple detections
APEX Malicious
Avast Script:SNH-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Trojan:Win32/AutoitInject.1ebf214d
MicroWorld-eScan Trojan.GenericKD.76086617
Rising Trojan.Injector/Autoit!1.1294D (CLASSIC)
Emsisoft Trojan.GenericKD.76086617 (B)
F-Secure Trojan.TR/AD.Swotter.njyml
DrWeb Trojan.AutoIt.1624
TrendMicro TROJ_GEN.R06CC0DCH25
McAfeeD ti!EDF37E0BD0E1
CTX exe.trojan.autoit
Sophos Troj/AutoIt-DHB
FireEye Trojan.GenericKD.76086617
Google Detected
Avira TR/AD.Swotter.njyml
Kingsoft malware.kb.a.836
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/AutoitInject!rfn
ViRobot Trojan.Win.Z.Autoit.1190400.L
ZoneAlarm Troj/AutoIt-DHB
GData Trojan.GenericKD.76086617
Varist W32/AutoIt.QG.gen!Eldorado
AhnLab-V3 Trojan/AU3.Loader.S2988
McAfee Artemis!7E45D87C02E2
DeepInstinct MALICIOUS
Malwarebytes Backdoor.NetWiredRC.AutoIt.Generic
Ikarus Trojan.Autoit
Panda Trj/CI.A
Zoner Trojan.Win32.179540
TrendMicro-HouseCall TROJ_GEN.R06CC0DCH25
Tencent Script.Trojan.Generic.Ewnw