popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

3003.exe

UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 27, 2021, 9:12 a.m. July 27, 2021, 9:23 a.m.
Size 56.0KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 1609d18c06f71cd892d6fb524ecfc2ad
SHA256 9df54d4e8faccc9aff9d8ea76a8aaf9e1f64ef0e32dbe9904b4654cee4884e1e
CRC32 D2DFDFF6
ssdeep 768:tY0swb0Bhe4KC7ojVTH/EdJ2cTspywATkIOsKCljh:0wuKCchTMdJ6pKHbljh
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
live.goatgame.live
A 104.21.70.98
A 172.67.222.125
104.21.70.98
google.vrthcobj.com 34.97.69.225
ol.gamegame.info
A 172.67.200.215
A 104.21.21.221
172.67.200.215
by.dirfgame.com
A 104.21.78.28
A 172.67.215.92
172.67.215.92
google.vrthcobj.com
A 34.97.69.225
34.97.69.225
ip-api.com
A 208.95.112.1
208.95.112.1
IP Address Status Action
104.21.78.28 Active Moloch
164.124.101.2 Active Moloch
172.67.200.215 Active Moloch
172.67.222.125 Active Moloch
208.95.112.1 Active Moloch
34.97.69.225 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49198 -> 172.67.222.125:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49207 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49198
172.67.222.125:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 6e:af:7d:03:68:a7:53:bb:5d:6a:ab:d0:a0:25:76:e7:15:3c:7d:ae

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
suspicious_features POST method with no referer header suspicious_request POST http://by.dirfgame.com/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST http://ol.gamegame.info/report7.4.php
request GET http://ip-api.com/json/?fields=8198
request POST http://by.dirfgame.com/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
request GET https://live.goatgame.live/userf/dat/3003/sqlite.dat
request GET https://live.goatgame.live/userf/dat/sqlite.dll
request POST http://by.dirfgame.com/report7.4.php
request POST http://ol.gamegame.info/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d7d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d00000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72da4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d21000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1760
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1760
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x021f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1760
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1760
region_size: 385024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01dc0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1760
region_size: 319488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\sqlite.dll
file C:\Users\test22\AppData\Local\Temp\sqlite.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000120
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: mobsync.exe
process_identifier: 2060
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: pw.exe
process_identifier: 2296
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: taskhost.exe
process_identifier: 2832
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: WmiPrvSE.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 2664
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: rundll32.exe
process_identifier: 1760
1 1 0
process rundll32.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqžåàÍXìê›"qÍ 666Ûyçp‚é ⁖*¸úžåÔ¡ð"+  ª®¤ðV ã)AƒËN‚„  ÊD†@Gš•LZ`` ‚Ž ˆ¿1TU%'à!@‚ÃÆGM07  `б80¥ ÊÄÀ́Ÿë6Ì«©/îççÿúõtLoF ØÇ.¡'çÔŠ(bÁ¯¥J@€€ JI†ŽÁqvz@úÁQÁ„… ÉgbÇÀúøú:PDŽDǼsÕ÷å ИÙ܇ Þ¾uŒŽÒå» ÞȓRÀ”†Ò€û{ÞÇKÚäÿxoooSSXŀTñ¨é5w©ÌÍHËoÄÀÿ3úŒvóó3ҚÁ„·¨ÅÀÚÀèu…EFPFNÁŒúRìa#€GìÁw:£Ë„„ÿó â5¸®'¿‚øÀÃB‹bhâá,Ìਗ਼Åö"Âà!áÃ#ãÀжïŒ!äÀà èóûDu8(xÅáHd`hÎ#y_"3ōÁÌE‹ ¼À3c˨ŠÔp«‰»»b&æ_êŸ0¾E[CZŒdA:ò8z¨HÃÆMH{þÅà´úÆaŒèuMWòà͘¡ô!Éèȃ磉Œäê{YÁã÷Y\òm™ôßÀ³[õ”a颪4Üøøã—pçêÚóÖSç™Hå6ááé6ê†&uȁŒ‡îlJÍE´d°œ6ZJB‰ú„«¹¼E@€hõ–˜Ì­iÈâ<ým©Vö\@‘ÔEHwvÁÕx,@Á‰lH4XÁýP<˜ÈÁõXav(ˆ hň Q[-é‘ÁˆJ±ê[G)1Վ á²æõ´°3Þ*„Kàë€Ñ ÅÍ;#Áâ;0`8¸ øwdï"+€ZZföØ+(Cà牞§‰ÐáIÁÎÿð UäTŽ%!öVÃa$&Ë K!D'}w@Ëmït´áhÃçHX4ßÿt$dÃ÷XlÁ € Š KÁ‹+c‹D ®!@!`ÏD2 @AÅE†51ÇDáäæbB_ ! '_ÈÀÃ×x0) i!Ãv¶þ”QúhÃrČ¥ó5ã!uy·"¸!IÃÇ'¢Ë“™LA€Y "‰æGiEH<šŠˆÆÿxßþ·RƟ<I  IÃKé]P¼à@Õ!ÃÂyÏ·]jÈ×[°Àk!Lb Ag¬~ú<$ŒSÏVù°àó$×óÕÄ÷«z3Hx0ŠÀPƒI5êIï·€;:1º tN[‘ñy‡ê$1ãø“Å»çïü´±œ+&—Šöƒü41€°0Fj{BL_¨P¿ô³ ‘„µ³xy࢈ÂO‡ ©t¶ƒsb2âђ–éìq¼Y—G¿êÒuÓE·ê¨.“PB2y]\±çI·Ú»=3‘ !ÞäQj¨9®LÊ{¸ÃaZ£f}ñ"ŠÆDµe¨¯•ŠgXÌz…ö‚8ÇÈKŽµ!PutÃ^ÕL/£ˆÃLJë°x$é&31RozSx0Ã߇»—êá»}•¥+h4Ê$ûÃŶ:Í÷v€ÀkG6N£ŒUh)_!¾ˆÑñ÷ꌉEµs™MߤHHD(@…É`DPt` dT•ˆ1?/v`1ð–;ÇDŸgokáØF<G¥ µL//h|Á 6€—E¯zš³@18ÅÂàâÂĤìÛ1¿´rf³µtR䌮ø™G¶u[x4@ÅÒ?gsPzüßG)_@ö曟Wû º‹½uÀ ‹ÌOÈI@ÛŠápJRTÃÛC[ÃįÈö¾]uL‰Ö˜ôóŒ+4otÉËv°QCďP÷êpd‰Ä¯'ÍîK¯_BZk3ÁÇH@#/€ÌA¶,ÞÜQ\íáõãrs÷発ÁâO|³ÒáˆÃªÐz؂BÛ~ôQ­ù@/$Oh(û;ãú#¡¨¿â­gŒpPS+Èókó»{ê¢#Rgêê×R¢sÁÔP6ò+º¡âzi[ôû´îççUø5ùqr`ÒòF$T§°rOíAfË+€ŽY"$H؊)Kj‘ÞWWoo}µ–¡@ˉæÌ2Ë ÙAÅÁhr/‚ê‰|ô‘Eè'‹Õ|§»ýà#u71FJÐô(F'-òLüa1ôïõÉ~³YÊC+‡~ýJ¥¦…QƆ»?„À°Eƒ´ùêTJzf_§êç²EIDTK•k„¿ÔG”°»˜@K7ŒŒ€ƒ LÇW•ÀâsQ‰IúSwÆñ³à4¸˜¥Ÿ-ó‰ÂzóK‰£è{¼ÇiªH‹b`Ž>8‹†›¹-EÍzð‹‘€AÈÊkkžMbrQ¶¯ÀÒ[EÄòkUÈõx Í+ìBGù»hÙ¦´|_†Ÿ™.9H‹Îu|Ç@ĸ·MemÎMŽÁÍD$qÂ_œÅ 7Aô÷ñ0÷Æ23±õÕý¤7ªE`œxòÑÎ…Žu`ZÁ—õ+ÊBÃ@#”¬Õô•4 xD,Ü®Vi4EzB¨ÔL(^NEX¤¦¢ÚÄL©‹-:šâ¸~tER·g,n°}ðY¨8!TÿÛ˝÷ÀrM L7à‹ÍϹê÷‚_w‹#¦G OÁ1+€Ãš ±¶uÿ$“æ|îSG{$§Þ¶+šºŒ À‡.Í´6ó*ãÅÌem(hÍL½yÏÜW³é8ãZF$=€JÁé,h,[””…™Ð×ÆHÁ™ˆR–EêÇÞF MÅí(¸¹y8"{ü¤T´Å²¸ 0‹(¼\l+ (ÃC{ò‰NÐp4D¹ó5J;Š‡k‰àEwߥÃJñtÌ$ˆFs Lh£C‰»ðøµ•æù‹î[2€zù@5q7ó+î´µÅáýɍÑ3aŠØ@Uv×Æ)O4x<¤«ë¢_ ,%l$bDoê…û³{QÊK…%p?ûЋs¼ÏIŠÅ™
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Lionic Trojan.Win32.Ulise.4!c
DrWeb Trojan.Inject4.14513
MicroWorld-eScan Gen:Variant.Ulise.262572
FireEye Gen:Variant.Ulise.262572
ALYac Gen:Variant.Ulise.262572
Arcabit Trojan.Ulise.D401AC
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.FTP
Paloalto generic.ml
BitDefender Gen:Variant.Ulise.262572
Avast Win32:MalwareX-gen [Trj]
Ad-Aware Gen:Variant.Ulise.262572
McAfee-GW-Edition Artemis!Trojan
Emsisoft Gen:Variant.Ulise.262572 (B)
Avira TR/Redcap.xmzlv
MAX malware (ai score=85)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.Ulise.262572
McAfee Artemis!1609D18C06F7
VBA32 Trojan.Inject
TrendMicro-HouseCall TROJ_GEN.R002H09GQ21
AVG Win32:MalwareX-gen [Trj]
Panda Trj/GdSda.A
Qihoo-360 Win32/Trojan.Generic.HgIASZEA
Time & API Arguments Status Return Repeated

IWbemServices_ExecMethod

 inargs.CurrentDirectory: None
inargs.CommandLine: rundll32.exe "C:\Users\test22\AppData\Local\Temp\sqlite.dll",global
inargs.ProcessStartupInformation: None
outargs.ProcessId: 2664
outargs.ReturnValue: 0
flags: 0
method: Create
class: Win32_Process
1 0 0