popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

hot.exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 18, 2021, 11:17 a.m. Aug. 18, 2021, 11:28 a.m.
Size 633.5KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 5fcbfeae2b818e9eab95723a87460401
SHA256 22a3ccdeb9ae4b196461cdb81c895ae891e2149af03e44b6ce86c2a1bf062947
CRC32 2A4AC423
ssdeep 12288:/U/Rmv+TmAXNzNxECRygNVl/GYlqPPMbQ4Z6hg0t9VoQigW:/Yme9P58gl/GhPPU5cgyX2
PDB Path C:\code\16\cal\Release\cal.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.rakennuspalveluporola.net
CNAME rakennuspalveluporola.net
A 34.102.136.180
34.102.136.180
www.numerologistreading.com
A 35.209.90.116
CNAME numerologistreading.com
35.209.90.116
www.mission-duplex.com
A 172.67.170.122
A 104.21.87.174
104.21.87.174
IP Address Status Action
104.21.19.200 Active Moloch
164.124.101.2 Active Moloch
172.67.170.122 Active Moloch
34.102.136.180 Active Moloch
35.209.90.116 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49202 -> 172.67.170.122:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 172.67.170.122:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 172.67.170.122:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 35.209.90.116:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 35.209.90.116:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49201 -> 35.209.90.116:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

pdb_path C:\code\16\cal\Release\cal.pdb
suspicious_features GET method with no useragent header suspicious_request GET http://www.numerologistreading.com/pjje/?EfBt4J58=KXVTcvbjXDD0gNgiMX+DPSy5YiGOmUOJbVJCTGBH734hiXpMW6Qv+6qjmAKa6Qo7kv8Emjmh&ohoXP=SzrlsD
suspicious_features GET method with no useragent header suspicious_request GET http://www.mission-duplex.com/pjje/?EfBt4J58=kmMGCOOuyZn/Q8N+atCeYTYJw4/WIfZPwWB6wlOMycBYg5A/spRsR9LEwaIQQxcsBMDpWJd1&ohoXP=SzrlsD
suspicious_features GET method with no useragent header suspicious_request GET http://www.rakennuspalveluporola.net/pjje/?EfBt4J58=tciR5RhO8AOzFF2Y0LHmIQxwfdqW3+4WiATtW4d/M7Ww/p8yIrAXWYz16zTljOVX4hXvSiko&ohoXP=SzrlsD
request GET http://www.numerologistreading.com/pjje/?EfBt4J58=KXVTcvbjXDD0gNgiMX+DPSy5YiGOmUOJbVJCTGBH734hiXpMW6Qv+6qjmAKa6Qo7kv8Emjmh&ohoXP=SzrlsD
request GET http://www.mission-duplex.com/pjje/?EfBt4J58=kmMGCOOuyZn/Q8N+atCeYTYJw4/WIfZPwWB6wlOMycBYg5A/spRsR9LEwaIQQxcsBMDpWJd1&ohoXP=SzrlsD
request GET http://www.rakennuspalveluporola.net/pjje/?EfBt4J58=tciR5RhO8AOzFF2Y0LHmIQxwfdqW3+4WiATtW4d/M7Ww/p8yIrAXWYz16zTljOVX4hXvSiko&ohoXP=SzrlsD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1896
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 192512
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c6c000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1896
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02280000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0006ba00', u'virtual_address': u'0x0002b000', u'entropy': 7.667193248252193, u'name': u'.data', u'virtual_size': u'0x0006daa4'} entropy 7.66719324825 description A section with a high entropy has been found
entropy 0.680632411067 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 104.21.19.200
Lionic Trojan.Win32.Zusy.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Zusy.397809
FireEye Generic.mg.5fcbfeae2b818e9e
ALYac Gen:Variant.Zusy.397809
Malwarebytes Malware.AI.1850730742
Cybereason malicious.97d898
BitDefenderTheta Gen:NN.ZexaF.34088.NuW@aO6OU7mO
Cyren W32/Faker.AF.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Formbook.AA
APEX Malicious
Paloalto generic.ml
BitDefender Gen:Variant.Zusy.397809
Avast FileRepMalware
Rising Trojan.Kryptik!1.D6EE (CLASSIC)
Ad-Aware Gen:Variant.Zusy.397809
McAfee-GW-Edition BehavesLike.Win32.Generic.jc
Sophos Mal/Generic-R
Webroot W32.Malware.Gen
MAX malware (ai score=87)
Gridinsoft Trojan.Win32.Kryptik.oa
GData Gen:Variant.Zusy.397809
Cynet Malicious (score: 100)
Acronis suspicious
TrendMicro-HouseCall TROJ_GEN.R002H0CHH21
SentinelOne Static AI - Malicious PE
Fortinet W32/Agent.FAA!tr
AVG FileRepMalware
Panda Trj/RnkBend.A
CrowdStrike win/malicious_confidence_100% (W)
MaxSecure Trojan.Malware.300983.susgen