popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Setup12.exe

Emotet UPX ASPack Malicious Library PE64 PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 17, 2021, 10:47 a.m. Sept. 17, 2021, 10:56 a.m.
Size 1.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 e0ef2cfe575206c8a60ddba16c3be2f5
SHA256 dd38ee7be4658da5bd9cec0830fe7528d8d31ac62922519e5a503a6ec1ea84a7
CRC32 BAF5BB64
ssdeep 24576:pAT8QE+kjTUxEyqpzGxFZDndblVcW2wCQONqmncGj9wMiw0HvrTJkIA36eoUnkRa:pAI+4JpzGZPVcfrU0iv52HPWY
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
iplogger.org
A 88.99.66.31
88.99.66.31
ip-api.com
A 208.95.112.1
208.95.112.1
staticimg.youtuuee.com
A 45.136.151.102
45.136.151.102
IP Address Status Action
164.124.101.2 Active Moloch
186.2.171.3 Active Moloch
208.95.112.1 Active Moloch
45.136.151.102 Active Moloch
88.99.66.31 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49172 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49171 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49172
88.99.66.31:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.iplogger.org 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 c8 ef f0
exception.symbol: md8_8eus+0x9b82c
exception.instruction: mov dword ptr [eax], ecx
exception.module: md8_8eus.exe
exception.exception_code: 0xc0000005
exception.offset: 636972
exception.address: 0x49b82c
registers.esp: 1638276
registers.edi: 0
registers.eax: 0
registers.ebp: 1638292
registers.edx: 4831254
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://186.2.171.3/seemorebty/il.php?e=md8_8eus
suspicious_features POST method with no referer header suspicious_request POST http://staticimg.youtuuee.com/api/?sid=236911&key=10e44f00f514089ad426f2df18ec0fd0
request GET http://186.2.171.3/seemorebty/il.php?e=md8_8eus
request GET http://ip-api.com/json/
request GET http://staticimg.youtuuee.com/api/fbtime
request POST http://staticimg.youtuuee.com/api/?sid=236911&key=10e44f00f514089ad426f2df18ec0fd0
request GET https://iplogger.org/ZhiS4
request POST http://staticimg.youtuuee.com/api/?sid=236911&key=10e44f00f514089ad426f2df18ec0fd0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 61440
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2744
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2916
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10927796224
free_bytes_available: 10927796224
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 65\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 62\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 3\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 75\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 98\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 93\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 92\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 97\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 47\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 74\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 83\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 17\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 69\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 63\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 66\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 80\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 84\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 77\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 64\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 8\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 4\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 6\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 72\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 13\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 61\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 82\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 7\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 12\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 95\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 70\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 73\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 18\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 49\Cookies
domain ip-api.com
file C:\Program Files (x86)\Company\NewProduct\Uninstall.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
file C:\Program Files (x86)\Company\NewProduct\inst001.exe
file C:\Program Files (x86)\Company\NewProduct\cutm3.exe
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\Program Files (x86)\Company\NewProduct\inst001.exe
file C:\Program Files (x86)\Company\NewProduct\cutm3.exe
file C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\inst001.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\inst001.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\cutm3.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\cutm3.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
parameters:
filepath: C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
host 186.2.171.3
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000004fc
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000004fc
regkey_r: ProxyOverride
reg_type: 1 (REG_SZ)
value: 127.0.0.1:16107;
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
1 0 0
Lionic Trojan.Win32.BadOffer.a!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.46918106
FireEye Trojan.GenericKD.46918106
CAT-QuickHeal Trojandownloader.Badoffer
ALYac Trojan.GenericKD.46918106
Cylance Unsafe
K7AntiVirus Trojan-Downloader ( 0057e0001 )
Alibaba TrojanBanker:Win32/Fabookie.3b752ff1
K7GW Trojan-Downloader ( 0057e0001 )
CrowdStrike win/malicious_confidence_100% (W)
BitDefenderTheta Gen:NN.ZexaF.34142.ny0@a8iWUxoi
Cyren W64/Agent.DKA.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 multiple detections
Kaspersky HEUR:Trojan-Downloader.Win32.BadOffer.gen
BitDefender Trojan.GenericKD.46918106
NANO-Antivirus Trojan.Win64.Fabookie.jagzxt
SUPERAntiSpyware Trojan.Agent/Gen-Dropper
Avast Win32:Malware-gen
Ad-Aware Trojan.GenericKD.46918106
Sophos Mal/Generic-S
Comodo Malware@#11gotk5nc68wv
DrWeb Trojan.MulDrop16.31196
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Dropper.tc
SentinelOne Static AI - Malicious PE
Emsisoft Trojan.GenericKD.46918106 (B)
APEX Malicious
eGambit Unsafe.AI_Score_99%
Avira TR/Dldr.Agent.lwlkv
Antiy-AVL Trojan/Generic.ASMalwS.240F387
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.CoinMiner.vb!s8
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ViRobot Trojan.Win32.Z.Zusy.1818985
GData Win32.Trojan-Stealer.Predator.LWLSE9
Cynet Malicious (score: 99)
AhnLab-V3 Malware/Win.Generic.C4621850
McAfee Artemis!E0EF2CFE5752
MAX malware (ai score=88)
VBA32 Trojan.MulDrop
Malwarebytes Malware.AI.4132331207
Tencent Win32.Trojan-downloader.Badoffer.Akpb
Yandex Trojan.Blocker!OH3Aj8L7MuI
Ikarus Trojan.Win32.Crypt
MaxSecure Trojan-Ransom.Win32.Crypmod.zfq
Fortinet W32/BadOffer!tr.dldr
Webroot W32.Trojan.Gen
AVG Win32:Malware-gen