Summary | ZeroBOX

lv.exe

NPKI Ficker Stealer Gen1 Malicious Library UPX PE File OS Processor Check PE32 DLL
Category Machine Started Completed
FILE s1_win7_x6402 July 9, 2021, 9:50 a.m. July 9, 2021, 9:58 a.m.
Size 1.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 036bee46548f543c263666d864125a60
SHA256 2ea8a6e52838153831b064c6c9a797705e3acc60cfe34bdb237cbd8a360cc73b
CRC32 514BF5D5
ssdeep 24576:ZBi1ZPMnPUr5e4hty7lBljBBDNGfbyRHlwLeILT8n0i2vFYBgwT6d9LZzyCvxH:S1ZEnPUr53ty7l3jBB0jyZlwPLsr2GB8
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
XnsXqNhtFOOIkJwpJXvSgU.XnsXqNhtFOOIkJwpJXvSgU
IP Address Status Action
172.67.188.154 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: Microsoft Windows [Version 6.1.7601]
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: Copyright (c) 2009 Microsoft Corporation. All rights reserved.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: if %userdomain%==DESKTOP-QO5QU33 exit 2
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: <nul set /p = "MZ" > Sai.exe.com
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: findstr /V /R "^eOTPybxfSDnddbthfAUjoedEzrkBUzRPDcAEenVFXQfgAFyMvnfMQnNqbfvwjSxmLIMVWAkREgfaMwrOYntvtyZyHAuMwUztcQDSTpQWhniBochvjIeNOXxFIGgvznPKVlXWnkUPIopGXbXjj$" Talismani.csv >> Sai.exe.com"
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: copy Discendere.csv V
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: start Sai.exe.com V
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: ping 127.0.0.1 -n 30
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleW

buffer: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000>
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Pinging 127.0.0.1
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: with 32 bytes of data:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

buffer: time<1ms
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74141000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2412
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74211000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 86016
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02d61000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2560
region_size: 155648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2808
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x741a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2876
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 102400
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f6a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f72000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f74000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2876
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03f75000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2944
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e81000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

total_number_of_free_bytes: 0
free_bytes_available: 12548079616
root_path: C:\Users\test22\AppData\Local\Temp\7ZipSfx.000
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Sai.exe.com
file C:\Program Files (x86)\foler\olader\acppage.dll
file C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file C:\Program Files (x86)\foler\olader\acledit.dll
file C:\Program Files (x86)\foler\olader\adprovider.dll
file C:\Users\test22\AppData\Local\Temp\nsmDB0F.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
cmdline "C:\Windows\System32\cmd.exe" /c cmd < Capace.csv
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Sai.exe.com
file C:\Users\test22\AppData\Local\Temp\nsmDB0F.tmp\UAC.dll
file C:\Users\test22\AppData\Local\Temp\New Feature\vpn.exe
file C:\Users\test22\AppData\Local\Temp\New Feature\4.exe
file C:\Users\test22\AppData\Local\Temp\7ZipSfx.000\Sai.exe.com
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: cmd
parameters: /c cmd < Capace.csv
filepath: cmd
1 1 0
cmdline ping 127.0.0.1 -n 30
host 172.67.188.154
file C:\ProgramData\AVAST Software
file C:\ProgramData\AVG
Process injection Process 2720 resumed a thread in remote process 2808
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000134
suspend_count: 0
process_identifier: 2808
1 0 0
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Zillya Backdoor.Agent.Win32.79796
Sangfor Trojan.Win32.Save.a
Arcabit Trojan.Doina.D2A2B
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/ClipBanker.IR
APEX Malicious
Paloalto generic.ml
ClamAV Win.Packed.Filerepmalware-9864117-0
Kaspersky UDS:Trojan.Win32.Crypzip
BitDefender Gen:Variant.Doina.10795
MicroWorld-eScan Gen:Variant.Doina.10795
Avast Win32:Malware-gen
Ad-Aware Gen:Variant.Doina.10795
FireEye Gen:Variant.Doina.10795
Emsisoft Trojan.Crypt (A)
Ikarus Trojan-Spy.MSIL.Agent
Avira HEUR/AGEN.1140896
Microsoft Program:Win32/Wacapew.C!ml
ZoneAlarm HEUR:Trojan-PSW.Win32.Coins.gen
GData Gen:Variant.Doina.10795
ALYac Gen:Variant.Doina.10795
MAX malware (ai score=87)
Malwarebytes Malware.AI.4230390294
Rising Trojan.Kryptik!1.D7D4 (CLASSIC)
SentinelOne Static AI - Suspicious PE
BitDefenderTheta Gen:NN.ZexaE.34790.nr3@aCQvdHok
AVG Win32:Malware-gen
Cybereason malicious.1dbb7b
Qihoo-360 HEUR/QVM42.0.68E7.Malware.Gen