popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

update_119189.exe

Generic Malware
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 16, 2021, 1:18 p.m. March 16, 2021, 1:18 p.m.
Size 286.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c362b1857c1e2f0cb9541126cb4a0ac3
SHA256 cc6f64bf2209cabfec2cda173f4cac371bf21798c59b02431e94bc0795d78174
CRC32 CF53F175
ssdeep 6144:auTQ7ehFcbqAIBtu7NVhlnel7q/TzKhecdQwfmMMMMiMMiE:auTRhFc9IBcpVhleNq//KhLyMMMMiMM
Yara
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • Generic_Malware_Zero - Generic Malware
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1108
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 36864
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c24000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1108
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
name RT_CURSOR language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e8d50 size 0x00000134
name RT_CURSOR language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e8d50 size 0x00000134
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_ICON language LANG_TURKISH filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_DEFAULT offset 0x026e8700 size 0x00000468
name RT_DIALOG language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e9070 size 0x000000c8
name RT_STRING language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e9598 size 0x0000029c
name RT_STRING language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e9598 size 0x0000029c
name RT_STRING language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e9598 size 0x0000029c
name RT_ACCELERATOR language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e8bd0 size 0x00000030
name RT_GROUP_CURSOR language LANG_TURKISH filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_DEFAULT offset 0x026e8e88 size 0x00000014
name RT_GROUP_CURSOR language LANG_TURKISH filetype Lotus unknown worksheet or configuration, revision 0x1 sublanguage SUBLANG_DEFAULT offset 0x026e8e88 size 0x00000014
name RT_GROUP_ICON language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e8b68 size 0x00000068
name RT_VERSION language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x026e8ea0 size 0x000001d0
section {u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00038000', u'entropy': 6.927151176995663, u'name': u'.data', u'virtual_size': u'0x026aa188'} entropy 6.927151177 description A section with a high entropy has been found
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Ulise.187392
FireEye Generic.mg.c362b1857c1e2f0c
McAfee Artemis!C362B1857C1E
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BotX-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Ulise.187392
Ad-Aware Gen:Variant.Ulise.187392
Sophos ML/PE-A
McAfee-GW-Edition BehavesLike.Win32.Generic.dh
Emsisoft Gen:Variant.Ulise.187392 (B)
MAX malware (ai score=82)
Microsoft Trojan:Win32/Glupteba!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Gen:Variant.Ulise.187392
Cynet Malicious (score: 100)
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.34608.rq0@aeppVPiG
Rising Malware.Heuristic!ET#91% (RDMK:cmRtazoc45L041q+t5nqz7HcuDRe)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_78%
MaxSecure Trojan.Malware.300983.susgen
AVG Win32:BotX-gen [Trj]
CrowdStrike win/malicious_confidence_80% (D)
Qihoo-360 HEUR/QVM10.1.EA16.Malware.Gen