Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.19 08:04
5.26행사일정표.hwp.lnk
04.19 08:04
5.26행사일정표.hwp.lnk
04.18 11:04
launcher.hta
04.18 11:04
loader2.ps1
04.18 11:04
loader.ps1
04.18 11:04
snd16061.exe
04.18 11:04
outputs.exe
04.18 11:04
hwennedbestthingstodof...
04.18 08:04
1 Podgląd wpisu po zmi...
04.18 08:04
1 Podgląd wpisu po zmi...

Latest News
04.19 09:04
하트-하트재단, ‘제3회 하트하트음악콩쿠...
04.19 09:04
OHSOPH, 봄 뷰티 트렌드 반영한 톤...
04.19 09:04
IT Sicherheitsnews tae...
04.19 09:04
IT Sicherheitsnews tae...
04.19 08:04
Robot Picks Fruit and ...
04.19 08:04
Tesla to Delay Product...
04.19 07:04
HR Chatbots, MITRE, 4c...
04.19 07:04
Alarms sound over atta...
04.19 07:04
HHS fines Guam hospita...
04.19 07:04
Suchen ohne KI-Zusamme...

Summary | ZeroBOX

001.exe

NSIS Malicious Library UPX PE File DLL PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 15, 2025, 9:38 a.m.	April 15, 2025, 9:40 a.m.

Size	465.7KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`c37235367c898eca6efefd178b37073c`
SHA256	`dae238e356a89cd2b4ab0efa82eea9091ef45d172cd8421bfcce70672da80c23`
CRC32	`B8101C29`
ssdeep	`12288:STXGVdXAbVwq/EdccVAAnJ1RhTVZw0kS4lKLkbZydLP:STXGVdXqmq2AAnrRhJZw9S4ltoP`
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer IsPE32 - (no description) UPX_Zero - UPX packed file

001.exe "C:\Users\test22\AppData\Local\Temp\001.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 15, 2025, 9:38 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 15, 2025, 9:38 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d62000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory April 15, 2025, 9:38 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e35000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 15, 2025, 9:38 a.m.	process_identifier: 2544 region_size: 61775872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03910000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0	0

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsnF1B4.tmp\System.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsnF1B4.tmp\System.dll

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Bkav	W32.AIDetectMalware
Skyhigh	BehavesLike.Win32.Dropper.gc
Cylance	Unsafe
Sangfor	Trojan.Win32.Agent.Vpki
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	Packed.NSISPacker!g14
Elastic	malicious (high confidence)
APEX	Malicious
Avast	NSIS:MalwareX-gen [Misc]
Kaspersky	HEUR:Trojan.Win32.Makoob.gen
McAfeeD	ti!DAE238E356A8
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.makoob
Sophos	Mal/Generic-S
Google	Detected
Antiy-AVL	Trojan/Win32.Makoob.gen
Kingsoft	malware.kb.a.943
Microsoft	Trojan:Win32/Sonbokli.A!cl
McAfee	Artemis!C37235367C89
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3868741200
Ikarus	Win32.Outbreak
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.GULOADER.YXFDNZ
Fortinet	NSIS/Injector.DRX!tr
AVG	NSIS:MalwareX-gen [Misc]
Paloalto	generic.ml