Summary | ZeroBOX

3cc0e0be954dc849581f9ff1817647de.exe

Gen1 Generic Malware Malicious Library PE File OS Processor Check PE32 DLL
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 7, 2021, 12:18 p.m. Sept. 7, 2021, 12:20 p.m.
Size 712.6KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 adfe31c40569ca5b0b403f0ba3f7b24c
SHA256 68d1b6dbfc303f1949267ce03ac2164ee9cda951231e72e6a5e39a44764ebbf2
CRC32 98F57323
ssdeep 12288:CcXe9SLN+NH0khUZY+vcvw1jG8QYewwB9gL1xBliJZcaFh:CcO2Q2ZYuSoel9gLHBlyZcaj
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49169 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49169 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49169 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.102:49169 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49172
172.67.179.248:443
C=US, O=Let's Encrypt, CN=R3 CN=*.upstloans.net 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1
192.168.56.102:49170
172.67.179.248:443
C=US, O=Let's Encrypt, CN=R3 CN=*.upstloans.net 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1
192.168.56.102:49174
172.67.179.248:443
C=US, O=Let's Encrypt, CN=R3 CN=*.upstloans.net 12:ed:3c:4a:ff:c2:a1:8d:83:7a:48:18:92:32:52:dc:a3:6f:83:f7
TLSv1
192.168.56.102:49173
172.67.179.248:443
None None None

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
packer Armadillo v1.71
suspicious_features POST method with no referer header suspicious_request POST https://a.upstloans.net/report7.4.php
suspicious_features POST method with no referer header suspicious_request POST https://b.upstloans.net/report7.4.php
request GET http://ip-api.com/json/?fields=8198
request GET http://crl.identrust.com/DSTROOTCAX3CRL.crl
request POST https://a.upstloans.net/report7.4.php
request POST https://b.upstloans.net/report7.4.php
request POST https://a.upstloans.net/report7.4.php
request POST https://b.upstloans.net/report7.4.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bcc000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74130000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74041000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74042000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74ba1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2864
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01fe0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2864
region_size: 1052672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2864
region_size: 380928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76b61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74b81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76ba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x765c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2864
region_size: 311296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02140000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axhub.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\axhub.dll
process rundll32.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

key_handle: 0x00000124
regkey_r: 1
reg_type: 3 (REG_BINARY)
value: ÁÕx4XÁåH<PÁýPwËoÜØ_µHŀµ¾HŘ¼«HcáA—@ű4^¯fZÅÊC@K°h·?ˆËjètM=…ã•ŸK£¹áü÷¶­Ãc~–¹²$ ?xÃ{a‰LÇs°Íh™$ÏüsEø½ƒç@tPAÊ]—ù¸003ú6)žÃ{¸ÍE´H±Æ·¹ÎMŽÅÉ`tÃ]žÁÍ` dÁÂGÅh™»ÿ*^ßptÃE&÷3á“ù¸€€HÃE¾(ŸÃ×x|ÃçHD(ÃÿPL ËGôqœ‹Ã ç„ÁÕx<‘Åh,]ÅáHñÉm,Àe-Ï!E`3è‚â‰.DDH‚îçLLLHÃÛHTÇÙB]ÆÉr}ÈEϋû~I*#|·@ŠNRƙPÉ7¼ˆˆBÉ„ŒŒ‰Ì*œüp:ò2z‹½ÃÎòÿ‰)øTK¸ÀL½ThÃÞêúÎRÖ±¼Ãčº[€B!ãˀ·=‹Êhêt’ªÀ4³pºÊúQiJó±x`AnóÁϕ•XžNېÅûrEN±½J¶< Çӑyc¤Š›c‰1~"yò8†zBaj ;»­¾ÊÊe©3vJÃϸ£@ÊÂUUJËCŸ…ØJәrêލ7µ‹Î*&J‰së߈!¦Aø—.‹@|2~o‘ˆNÇH<>α~¦$ËÍ‚ƒÏJKŽP{û´Ÿ®ÉÌ@Šp·OÁƒN±¾I¶?Âû¹y`§Š›eXXJ>==>§"ÍÅ ‚ƒK¸ûòÁ#ÀL¼e‰IOfïÕŠBE´kWÅÀŠL[ß±¿À ƍ¹X€@#ãې·>‰Ëiët’^õ;¡Ñ隣·ÅÀŠ8/]÷©¿ìOÃI)é1óˆÃ¸ÔðHÉEÀ_ž„ËoÄÀûí·ËkáAËGìë„ÁÕx,]ËoÜxÃrrQcõ;Q!ïFáü÷¶­ÁÍ` À6#F²$ ?xÃc9,F;—ÂÁ  ¬ˆLÇkTAFð¾õz4ÇsGRF–ŒR¹Á  ¤€èu`·ÁÍ`lÇckx»3t4ó)¼V¸õZf_>s~²½ f_>r­+Ktņ Hs⫧T½nEt}ˆ½<u¶{¸ fãÁz(bÃA²z(vÄHðf_}z*aÑàK¸óz8JÁ¹ úBZ•ÉÜPLÈE´VkÄ–‹ÊE:ø̈þ†¶JњËBéar묛ÔúÏÇr}~ñōߢ»Ïßjjgᓾ5FҐÊIƒ¶µoù´'zó»OqÀŽAʀJxrCIÊÈGENH C;áÑŒÀÖsiÌĶüËCJ€¶ÚáŽêNL‰ŽÏZ˜Êkét¾ojn_Š¾øù@Aù¸00AÊYáú6*ÃSÍEϋ_%»ÏÏzjÃ\ŸÃC‰¾(’vúˆN¸^"wr8u: Èäh¸rÅŒÁÊJÚ…E´VgÎJÖEÀE´aTÊZÒHŁKKԖ¾(’vú¯'Bî‹]WR8t²ŒÇçH˜õZf_:wweïŠK+G„èEHKøÂ>sv‹ŽŒ 7°…Eϋ ŽD}¶;´‰HřOÇP—gto»NÏÉFEB˼*ý½AÊKˆËkà@™9¤/³UE¾EwÁÇBMJ¸¶¸¹ððAN¸w¦Eâx¹  f]ú´dšKÀaðJljOMHÊBÃOfÿ¡¹‰vúBÉFLKÓ[NÏÉFEB˽ÖïÇ/€¬ˆ‹ …EϋšHŹ7ˆƒEϋŒ‹ÅBHÏå~XKȏÏ{¼Oè§Oð «p mvú…Çk¨ÍEϋü…¾Êb¤t7z3ÂE‹Îr±ÃšXÂG„ÍW«| ¸e9ìOËAÀJKÐ,k°¤€EvúÍEϋĽ´Â+g·:‰Çv´ˆ&äHƁ;{u0|Ê÷ËEҟƒEµôÍÇ/€¬ˆLÇçHdÏ ' EÀE´S¬ #¤…E´i–C€ð⿫ǁOÇH‹‰+éB¾*ÁÖouvóKôW`Ã@ƒKøºÌýqŠ])(REµhXvóóášÃ@4(äá“ù¸€€HÃ@Š¾+=OZtMŽÃ×xT8ËGôqž²Ñ«XÄ–/qÍ 666Ûqïp‚í ⁿž%ä€åÐ¥ð"+  ŽŠ¤ìJ £ %ƒËN‚…„  ÊD†š•LZ`` ‚Ž  @Aõöà!@‚“–p=NŽøô PÞÖ]81‡‰•›UH€©¤øó™“$Ս/îççÿúõ´Œ)DdƎX†–'çÔŠXÁ“™J@€€ JN¥æŽÁAFz@úÁ+êÁ„… ÉÇÀúøú:ÁÊoªÇÏÕÉ>å ì džÜïeÞˌÕ[ÒåÓcÞȓRÀ¬…iû{¶xÇK‡âØþ~oxiXŀ…ˆ@©uÌÌHHƒoÄÀï3úŒvóóášɄô„{ÀÀúëÑÀèerßҀ 'aFNÁŒÚþ"€GÌ Á·ú£Ëÿó‰©â5h~'=øÀÔ֋bhâá,Ìà3Åö"4öà!áÃ#ãÀf¾äÀà èóûCu80xÅáHhà # /"öÁ ÅE‹ œÀ2RHc˨ÅÙp0›‰»»b%ºê':’ž €“8ŒDÀŒŒHÃÆMH{þ%l˜–êaŒèuMYP¢àÍèÑôÙK{éxòcéî™zèØØãŸ(5pòm™ôg‘èÁùÑé‚hêÛ]íjîóњ°çêÚó…ç™7_½å6ááú6êQ/þUԝŒILJxµE´dPbBF&HMÄúD ³¼E@€@(• tÌ­iÈÃ'¥ì yyûzö »¯MGQELwvÁÕ\$,@ÁåH4XH‰ýP<PÁõX,(av((hň 78-ô‘ÁˆJ±êôuSPՎ á²Þ­b1s­*„KàëPىC Åö#Áo;0`8µøwdn"+@ öØ+cKCà'GŠ¹»2ÐáIÁÎÿP•,ñ¡IÁŽ%!¶+ËÜü‹A!D'}bw@Hƒmït´‰Ãçh X4ßÿPdH‹÷XlÁ ‹ Š KÁ‹H‹Ó— ®!@!`ÇDÇõ âRuE†5ñ¦¡Ã‡æbB_ÇÂ'$_ÇÏÃ×x‘ƒa!Ãv¶þŸ Q’ÃrČ¥…v5Âuy·"¸!!hÃD'⋓™Lڛ€Y"‰æGiEH<›Šˆ9xßþ·RöÈAI ˆIÃKé]P 4\AÔ!ÃÂiÏêÒQö[°ÀF-!Ll Ag¬~ú~B$ŒœVù°àó<n¡óÕÄó«z3xH0Š‹KÓI5ê¡¥!mÝ;:1º tN[‘ñy‡ê<1ãø“%[çïü´±ä´t¨uü-10Ãö4:8.—Ä÷ð ÿ†*$µËyàªHÈÂO‡ 邃 zbòu§·•éìt· Y—G¿ê ßȘP·ê†“PB+=D]\±çI·ÚÞÇ­•†Ï mÞäQj¨98#®MÊ{¸ÃaZ£elñ"ŠÆDµs»¯•ŠgXÌÿ…s‚8ÇÈK ›µ!PutËՙ/£ˆÃLJëÈd… 31Ro=GSm0Ã߇»—ë‹€¨¥+hS,µÊ$ûënŒÍ÷v€Àkψx£ŒUh)_!¾ˆ8éêÜùµEµg–MߤHHDpXÅÉ`DPt` |Áˆ1?/v`A;ÇDŸgok'ƞ<GÝy”L//h|ÁßÕ¶—E?œ›w³á!°8ÅÂàâÂĤ÷êXÿ´rf³µtX òŒ¼À!=^u[x4@ÅÒ?gsPzüßG)_@ö曟Wû º‹½uÀ ‹ÌOÈI@ÛŠápJRTÃÛC[ÃįÈ&nfNL‰Ö˜ôóŒ+4otÉËv°QCďHïê¨.ºd¯ùÆÛH@¢“3ÁÇT@´—/€ÌA¶,}líáõã‚ás÷ç#u´âO|³Òሠ§Ðz؂BÛ~ôKyÔù@/$Oh(Àð:Ƅ¨¿â­v™\’pPS+ÈókH{Žd¢#RgêêÇò ©Ôt$6ò+º¡âz^7[ôû´îççUÍW®qr`Òò¦¬UV1OíAfË+€Ž{ßûH؊)Kj‘ÞW8ow}yZKe@Ëoé%2Ë ÙAÅÁh1C/‚êA´ô‘EϐÕ|§»ýÃÓÐu71Fâ—ÞïD˜¿-ýR_À0ôïìɍó³YÊC+‡ƒJHEµ¬{1Ɔ»?„p¶óƒ´ùêÈRëzfß'êÏz LDÇï!AH(¥þ„¿ÔG ˜@K7ŒŒ€@ÇW•Àâs˜ÉÀúSwÆñjÙàŒ˜¥Ÿ-ó‰Âõ¸‰£è{¼ÇiâHÃb`Ž>8 €¹-EÍzð‹†’€AÈÊkkÓM/rQ¶¯À‰[SEÄòkUȍxtÍ+ìBGù¨±¦ô C†Ÿ™.9VHÃÎu|Ç@Ä·úemÎMŽÁ‰D`qÂ_œÅ;2vô÷ñ021³0ôÕý¤7ªE52œxòÑÎ…Žu`ZÁ—õ+ÊBÃ@#ÔìÕô•4 xD,Ü®Vi4EzB¨ÔL(^N…˜¤¦¢Ú9òþ]Š>¸~tERqÇgB¡}ðY¨8!Tÿ[HiÀiM L7à‹É-â¹ꟊP¨¦§à OÁ1+€Ãšº¶æ“ÿ$Óº`îS<$p·G%ܶ+šºŒ Àcä<Í´6ó*ãÅÌe%H@ÍL½yÏÜW9ûZ8ãZF$=€JˆIÅh,[””…™ÕHÁ™ˆ"‰*ê¿x˜ MÅí(¸¹A"{ü¤T´Å²ã[;‹(¼\l+ «ƒ€{ò‰NÐq4K¹ó5J; ì‰àEwߥÃ롅Ì$ˆFs DËC‰»ðø¥sù‹î[2€zy€uq7ó+î´µDúýɍÑ3aŠ+óCUv×Æ)O4x(ë¢_ ,%lEabFoê…û³S(IÊK…%p?+Ð[s¼ÏIŠÅ­4çX³
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{LJU50KX1-5I52-VT6Q-WSWM-U2Z9XL21ZV61}\1
1 0 0
Time & API Arguments Status Return Repeated

IWbemServices_ExecMethod

inargs.CurrentDirectory: None
inargs.CommandLine: rUNdlL32.eXe "C:\Users\test22\AppData\Local\Temp\axhub.dll",main
inargs.ProcessStartupInformation: None
outargs.ProcessId: 2248
outargs.ReturnValue: 0
flags: 0
method: Create
class: Win32_Process
1 0 0
Lionic Trojan.Win32.Crypt.4!c
Elastic malicious (high confidence)
DrWeb Trojan.Inject4.13781
MicroWorld-eScan Trojan.GenericKD.37263539
FireEye Trojan.GenericKD.37263539
CAT-QuickHeal Trojan.Agent
ALYac Trojan.GenericKD.37263539
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.3399235
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:Win32/Kryptik.54869754
K7GW Trojan ( 0057f23b1 )
K7AntiVirus Trojan ( 0057f23b1 )
Cyren W32/Trojan.VJVU-7820
ESET-NOD32 a variant of Win32/Kryptik.HLQQ
APEX Malicious
Paloalto generic.ml
ClamAV Win.Packed.Zusy-9878432-0
Kaspersky HEUR:Trojan.Win32.Crypt.gen
BitDefender Trojan.GenericKD.37263539
NANO-Antivirus Trojan.Win32.Inject4.ixgvgd
Avast Win32:MalwareX-gen [Trj]
Ad-Aware Trojan.GenericKD.37263539
Sophos Mal/Generic-S
Comodo Malware@#2fm7k45x1wj9i
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R002C0PH221
McAfee-GW-Edition GenericRXPL-AM!ADFE31C40569
Emsisoft Trojan.Crypt (A)
Jiangmin Trojan.Crypt.fma
Webroot W32.Trojan.Gen
Avira TR/AD.Downloader.jqeqy
MAX malware (ai score=88)
Antiy-AVL Trojan/Generic.ASMalwS.340C0ED
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Gen.oa!s1
Microsoft Trojan:Win32/Multiverze
ViRobot Trojan.Win32.Z.Crypt.729724.C
GData Win32.Trojan.PSE.13QHYFZ
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.R431137
McAfee GenericRXPL-AM!ADFE31C40569
TACHYON Trojan/W32.Crypt.729724
VBA32 Trojan.Inject
Malwarebytes Trojan.Crypt
TrendMicro-HouseCall TROJ_GEN.R002C0PH221
Tencent Malware.Win32.Gencirc.10ce6651
Ikarus Trojan.Win32.Crypt
Fortinet PossibleThreat.MU
AVG Win32:MalwareX-gen [Trj]