popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sek.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 6, 2021, 7:48 a.m. Aug. 6, 2021, 7:50 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ffd9d6d9adc6fed278781b57b8025099
SHA256 1668c886ee28fa9bd0f07972b6fc5d92b5dae54dd4625ba8c63c54e1c965ee6a
CRC32 7EEC5584
ssdeep 24576:s4lavt0LkLL9IMixoEgeatKIzYiiErB2VUTho1xWnrcVsq9MmCS:7kwkn9IMHeatKoCZUTgx2aPCS
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
888myrat.duckdns.org
A 78.189.177.240
78.189.177.240
IP Address Status Action
164.124.101.2 Active Moloch
78.189.177.240 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:63203 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.102:65038 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
domain 888myrat.duckdns.org
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cc2000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000025c
process_name: smss.exe
process_identifier: 228
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: csrss.exe
process_identifier: 304
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: wininit.exe
process_identifier: 344
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: winlogon.exe
process_identifier: 408
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: services.exe
process_identifier: 444
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: lsass.exe
process_identifier: 460
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: lsm.exe
process_identifier: 468
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 576
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 648
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 728
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 792
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 840
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: audiodg.exe
process_identifier: 908
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 984
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: spoolsv.exe
process_identifier: 312
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 1044
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: taskhost.exe
process_identifier: 1120
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: dwm.exe
process_identifier: 1212
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: explorer.exe
process_identifier: 1248
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: IMEDICTUPDATE.EXE
process_identifier: 1444
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: svchost.exe
process_identifier: 1828
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: pw.exe
process_identifier: 1952
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: SearchIndexer.exe
process_identifier: 2020
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: mobsync.exe
process_identifier: 1144
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: pw.exe
process_identifier: 1060
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: taskhost.exe
process_identifier: 1204
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: wsqmcons.exe
process_identifier: 1184
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: sdclt.exe
process_identifier: 1840
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: cmd.exe
process_identifier: 1808
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: SearchProtocolHost.exe
process_identifier: 1624
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: conhost.exe
process_identifier: 1784
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: SearchFilterHost.exe
process_identifier: 1604
1 1 0

Process32NextW

 snapshot_handle: 0x0000025c
process_name: sek.exe
process_identifier: 1068
1 1 0
section {u'size_of_data': u'0x00071800', u'virtual_address': u'0x000c4000', u'entropy': 7.9383426653705955, u'name': u'.rsrc', u'virtual_size': u'0x0007174c'} entropy 7.93834266537 description A section with a high entropy has been found
entropy 0.360890302067 description Overall entropy of this PE file is high
wmi Select * from AntiVirusProduct
dead_host 78.189.177.240:4000
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
MicroWorld-eScan AIT:Trojan.Nymeria.2906
FireEye Generic.mg.ffd9d6d9adc6fed2
Qihoo-360 HEUR/QVM10.1.0C07.Malware.Gen
ALYac AIT:Trojan.Nymeria.2906
Cylance Unsafe
Cybereason malicious.9adc6f
Cyren W32/Agent.AFI.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Autoit.DB
APEX Malicious
ClamAV Txt.Malware.LodaRAT-9769386-0
Kaspersky HEUR:Backdoor.Script.LodaRat.a
BitDefender AIT:Trojan.Nymeria.2906
Avast AutoIt:KeyLogger-R [Trj]
Ad-Aware AIT:Trojan.Nymeria.2906
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.TrojanAitInject.tc
Emsisoft AIT:Trojan.Nymeria.2906 (B)
Avira HEUR/AGEN.1100172
MAX malware (ai score=85)
Microsoft Program:Win32/Wacapew.C!ml
GData AIT:Trojan.Nymeria.2906 (2x)
Cynet Malicious (score: 100)
McAfee Artemis!FFD9D6D9ADC6
Malwarebytes MachineLearning/Anomalous.100%
Rising Backdoor.888Rat/Autoit!1.C8E3 (CLASSIC)
Ikarus Trojan.Win32.Autoit
eGambit Unsafe.AI_Score_95%
Fortinet AutoIt/Agent.DB!tr
BitDefenderTheta AI:Packer.7492DFF116
AVG AutoIt:KeyLogger-R [Trj]
CrowdStrike win/malicious_confidence_90% (D)
MaxSecure Trojan.Malware.300983.susgen