popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mam.exe

OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 24, 2021, 7:29 p.m. June 24, 2021, 8:41 p.m.
Size 502.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 17b10bd28b01f810e415e8fb5ca5bf76
SHA256 fee2a0956fd7d2b95cfcd3f46abaf29fb86c8b83d0ee9c756a023a994919072d
CRC32 CD778276
ssdeep 12288:wMHki40mzGDuTRb3z1bJbyqqiAYz98rNL4c7W6v:J14NUCX1NbrqyJ8pL4u
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.nationalcoinshortage.com
www.mvdbr.com
CNAME mvdbr.com
A 60.241.27.76
60.241.27.76
www.thesmileresidents.com
CNAME thesmileresidents.com
A 206.17.147.207
206.17.147.207
www.jetfuels.info
A 34.102.136.180
CNAME jetfuels.info
34.102.136.180
IP Address Status Action
164.124.101.2 Active Moloch
206.17.147.207 Active Moloch
34.102.136.180 Active Moloch
60.241.27.76 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49202 -> 60.241.27.76:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 60.241.27.76:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 60.241.27.76:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 206.17.147.207:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 206.17.147.207:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 206.17.147.207:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.mvdbr.com/ffmi/?J2JDYR=amofOv4yX1iotyGi+sQOv/16D2mHPYDgYXuSvLbk2GCDXsp8bztb1FMcheYsggIMDO8fbI6w&BXEDF=Z0GD1V0hqLv
suspicious_features GET method with no useragent header suspicious_request GET http://www.thesmileresidents.com/ffmi/?J2JDYR=pvyoAQMrZq8IIYqdiVFauXKb9dFvuJjEqbdG+MFyx4nLeFJbOcZVzLyC2PgLrkQOmQcX4svy&BXEDF=Z0GD1V0hqLv
suspicious_features GET method with no useragent header suspicious_request GET http://www.jetfuels.info/ffmi/?J2JDYR=nAye7+VKj4umTRLWZtYhZdlE5jWuhy6CeliaDW7ZnB9bA+AC3hjx/7NKkFVqlVYemT9YIS3X&BXEDF=Z0GD1V0hqLv
request GET http://www.mvdbr.com/ffmi/?J2JDYR=amofOv4yX1iotyGi+sQOv/16D2mHPYDgYXuSvLbk2GCDXsp8bztb1FMcheYsggIMDO8fbI6w&BXEDF=Z0GD1V0hqLv
request GET http://www.thesmileresidents.com/ffmi/?J2JDYR=pvyoAQMrZq8IIYqdiVFauXKb9dFvuJjEqbdG+MFyx4nLeFJbOcZVzLyC2PgLrkQOmQcX4svy&BXEDF=Z0GD1V0hqLv
request GET http://www.jetfuels.info/ffmi/?J2JDYR=nAye7+VKj4umTRLWZtYhZdlE5jWuhy6CeliaDW7ZnB9bA+AC3hjx/7NKkFVqlVYemT9YIS3X&BXEDF=Z0GD1V0hqLv
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x032a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0006ae00', u'virtual_address': u'0x0000f000', u'entropy': 7.671776097251509, u'name': u'.data', u'virtual_size': u'0x0006cdbc'} entropy 7.67177609725 description A section with a high entropy has been found
entropy 0.852442671984 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.37104356
FireEye Generic.mg.17b10bd28b01f810
CAT-QuickHeal Trojanspy.Noon
ALYac Trojan.GenericKD.37104356
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 003c36381 )
Alibaba TrojanSpy:Win32/Kryptik.95f2dfad
K7GW Trojan ( 003c36381 )
Cybereason malicious.1e04be
Arcabit Trojan.Generic.D2362AE4
BitDefenderTheta Gen:NN.ZexaF.34758.FuW@aax389ii
Cyren W32/Kryptik.EIF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HLJA
APEX Malicious
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.GenericKD.37104356
Paloalto generic.ml
AegisLab Trojan.Win32.Noon.l!c
Ad-Aware Trojan.GenericKD.37104356
Sophos ML/PE-A
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0PFH21
McAfee-GW-Edition BehavesLike.Win32.Emotet.hc
Emsisoft Trojan.GenericKD.37104356 (B)
SentinelOne Static AI - Malicious PE
Jiangmin TrojanSpy.Noon.rkf
MaxSecure Trojan.Malware.300983.susgen
Avira TR/Crypt.Agent.xbvuv
Antiy-AVL Trojan/Generic.ASMalwS.3387AE4
Microsoft Trojan:Win32/Glupteba!ml
GData Trojan.GenericKD.37104356
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4528172
Acronis suspicious
McAfee RDN/Generic.grp
MAX malware (ai score=89)
VBA32 TrojanSpy.Noon
Malwarebytes Malware.AI.1850730742
TrendMicro-HouseCall TROJ_GEN.R002C0PFH21
Rising Trojan.Kryptik!1.D6EE (CLASSIC)
Yandex Trojan.Kryptik!BQS2VC1mgIA
Ikarus Trojan.Inject
eGambit Unsafe.AI_Score_99%
Fortinet W32/PossibleThreat
AVG Win32:Malware-gen