popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

update201703280212.exe

UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 13, 2021, 8:20 a.m. May 13, 2021, 8:25 a.m.
Size 546.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 3ccd1b5d4ea318d18cde4f03a6624679
SHA256 5b0a167d886fc4a3f6db12efc525f2a68df7132da2964fd4ccbe393701d9d254
CRC32 0D180D9A
ssdeep 12288:oY8+1sxs5qh9uycgoGnHB5l0XQyWiRmd18A40bCGi0rj8mp9ATPs:PdpDVgJHBv0geRmddx250v8GYPs
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
edgedl.me.gvt1.com
A 34.104.35.123
34.104.35.123
IP Address Status Action
142.250.207.67 Active Moloch
142.250.66.35 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
34.104.35.123 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49808 -> 142.250.207.67:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49809 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49809 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49810 -> 142.250.66.35:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49811 -> 142.250.66.35:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 34.104.35.123:80 -> 192.168.56.102:49809 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49808
142.250.207.67:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55
TLS 1.2
192.168.56.102:49810
142.250.66.35:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55
TLS 1.2
192.168.56.102:49811
142.250.66.35:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55

resource name ZIP
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2
request HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2
request POST https://update.googleapis.com/service/update2
request POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2
request POST https://update.googleapis.com/service/update2
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 5032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72da4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0
name ZIP language LANG_TURKISH filetype data sublanguage SUBLANG_DEFAULT offset 0x000515c8 size 0x0006076b
section {u'size_of_data': u'0x00087c00', u'virtual_address': u'0x00034000', u'entropy': 7.797780400638962, u'name': u'UPX1', u'virtual_size': u'0x00088000'} entropy 7.79778040064 description A section with a high entropy has been found
entropy 0.996330275229 description Overall entropy of this PE file is high
section UPX0 description Section name indicates UPX
section UPX1 description Section name indicates UPX
host 142.250.207.67
host 142.250.66.35
host 172.217.25.14
Bkav W32.AIDetectVM.malware1
FireEye Generic.mg.3ccd1b5d4ea318d1
McAfee Artemis!3CCD1B5D4EA3
Cylance Unsafe
Sangfor Malware
Alibaba Trojan:Win32/Fugrafa.95b51548
Cyren W32/Trojan.CSH.gen!Eldorado
APEX Malicious
Paloalto generic.ml
AegisLab Trojan.Win32.Generic.4!c
F-Secure Heuristic.HEUR/AGEN.1118742
DrWeb Trojan.DownLoad4.6872
McAfee-GW-Edition BehavesLike.Win32.Dropper.hc
Sophos Generic PUA BD (PUA)
Jiangmin AdWare.Generic.gssa
eGambit Unsafe.AI_Score_95%
Avira HEUR/AGEN.1118742
Antiy-AVL Trojan/Win32.Generic
Gridinsoft Trojan.Win32.Agent.vb!s2
Microsoft PUA:Win32/Presenoker
Cynet Malicious (score: 100)
VBA32 Trojan.Download
Yandex Trojan.GenAsa!DPzVoG23Lus
Ikarus Trojan.Fugrafa
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Generic_PUA_BD.KJ!tr
Qihoo-360 Win32/Trojan.419