popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mz.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 9, 2021, 11:23 a.m. Aug. 9, 2021, 11:28 a.m.
Size 672.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 05484e3762e29ecdc0ac0fe66b518b35
SHA256 d1d38dad990cfc9935779ec4bdab67ebf2bcdfaddd999a2e24642f6628bcc0ce
CRC32 01FDF516
ssdeep 12288:veD27Sdt6DA+v7tdOm0rFczvPE7QlSEvB:hSbsA+vu7FczvPeQlSEp
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
gg.csgohvh.cc
IP Address Status Action
139.196.224.137 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:63203 -> 164.124.101.2:53 2027758 ET DNS Query for .cc TLD Potentially Bad Traffic
TCP 192.168.56.102:49161 -> 139.196.224.137:8080 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

packer Armadillo v1.71
suspicious_features Connection to IP address suspicious_request GET http://139.196.224.137:8080/NetSyst96.dll
request GET http://139.196.224.137:8080/NetSyst96.dll
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 3203072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2088
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1030f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 3203072
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 237568
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1030f000
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054650 size 0x00000128
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054650 size 0x00000128
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000542a8 size 0x000000bc
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000542a8 size 0x000000bc
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054a60 size 0x0000003a
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x00054778 size 0x00000022
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x000547a0 size 0x000002c0
file C:\Program Files\AppPatch\NetSyst96.dll
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: Siosxf vcvilptcryjhsgvfxd
filepath: C:\Program Files (x86)\Microsoft Ndzdiq\Dtzdiqv.exe
service_name: Wstxck arkxquir
filepath_r: C:\Program Files (x86)\Microsoft Ndzdiq\Dtzdiqv.exe
desired_access: 983551
service_handle: 0x005db798
error_control: 0
service_type: 272
service_manager_handle: 0x005db6f8
1 6141848 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 139.196.224.137
service_name Wstxck arkxquir service_path C:\Program Files (x86)\Microsoft Ndzdiq\Dtzdiqv.exe
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader36.59104
MicroWorld-eScan Trojan.Cud.Gen.1
FireEye Generic.mg.05484e3762e29ecd
CAT-QuickHeal Trojan.Redosdru.18844
Cylance Unsafe
Zillya Downloader.Agent.Win32.335022
K7AntiVirus Trojan-Downloader ( 004fefdf1 )
K7GW Trojan-Downloader ( 004fefdf1 )
Cybereason malicious.762e29
BitDefenderTheta Gen:NN.ZexaF.34058.Qq3@aGEzvJhb
Symantec Downloader!gm
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.CWO
APEX Malicious
ClamAV Win.Downloader.Farfli-6453698-0
Kaspersky HEUR:Backdoor.Win32.Generic
BitDefender Trojan.Cud.Gen.1
Avast Win32:Malware-gen
Tencent Malware.Win32.Gencirc.10b77a37
Ad-Aware Trojan.Cud.Gen.1
Comodo TrojWare.Win32.TrojanDownloader.Farfli.CWO@7k0rzk
TrendMicro BKDR_ZEGOST.SM17
McAfee-GW-Edition Farfli!05484E3762E2
Emsisoft Trojan.Cud.Gen.1 (B)
SentinelOne Static AI - Suspicious PE
Jiangmin Backdoor.Generic.ajkp
Avira HEUR/AGEN.1111749
MAX malware (ai score=87)
Antiy-AVL Trojan/Generic.ASMalwS.203D8BE
Microsoft TrojanDownloader:Win32/Farfli.F!bit
Arcabit Trojan.Cud.Gen.1
ZoneAlarm HEUR:Backdoor.Win32.Generic
GData Trojan.Cud.Gen.1
Cynet Malicious (score: 99)
AhnLab-V3 Malware/Win32.RL_Generic.R369242
McAfee Farfli!05484E3762E2
TACHYON Backdoor/W32.Agent.688196
VBA32 BScope.TrojanDownloader.Farfli
Malwarebytes Backdoor.Farfli
TrendMicro-HouseCall BKDR_ZEGOST.SM17
Rising Downloader.Agent!1.ABFC (CLASSIC)
Yandex Trojan.GenAsa!6HyyeQhbdKM
Ikarus Trojan-Downloader.Win32.Farfli
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Kryptik.GHFL!tr
AVG Win32:Malware-gen
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_60% (D)
Qihoo-360 HEUR/QVM07.1.1CE7.Malware.Gen