popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

123.exe

Malicious Library Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network Http API persistence FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug PE64 PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 20, 2021, 9:32 a.m. Sept. 20, 2021, 9:40 a.m.
Size 1.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7924c098f35b7ff9e2deb0be7ee0151f
SHA256 7cc46214e11a0cdddcd0d0ccc9565242024236c829c8bc564b8c874a16f6ec20
CRC32 7F9CEFF0
ssdeep 24576:85PK8YPFIBmSxiPp5PXV98EOTxoyZIjzmm9DkZcvDRfdBISr:GKdMFQPp59bOT5ijzpvvPBISr
Yara
  • Antivirus - Contains references to security software
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
PQIFjaOJTDFRabgPYCgLtWFACo.PQIFjaOJTDFRabgPYCgLtWFACo
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x772840f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x77284736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x77285942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x772875f4
RtlIsDosDeviceName_U+0x1420f NtdllDialogWndProc_A-0x1a55d ntdll+0x6dc8f @ 0x7722dc8f
HeapFree+0xa BaseSetLastNTError-0x16 kernel32+0x2307a @ 0x76e6307a
giudichera+0x3b1cc @ 0x13f42b1cc
giudichera+0x7f1e5 @ 0x13f46f1e5
giudichera+0x6b966 @ 0x13f45b966
giudichera+0x4cf75 @ 0x13f43cf75
giudichera+0x8927 @ 0x13f3f8927
giudichera+0x8979 @ 0x13f3f8979
giudichera+0x8907 @ 0x13f3f8907
giudichera+0x8979 @ 0x13f3f8979
giudichera+0x8979 @ 0x13f3f8979
giudichera+0x16f4a @ 0x13f406f4a
giudichera+0x11b0c @ 0x13f401b0c
giudichera+0x1653d @ 0x13f40653d
giudichera+0x5fc21 @ 0x13f44fc21
giudichera+0xff33 @ 0x13f3fff33
giudichera+0x11ec9 @ 0x13f401ec9
giudichera+0x1199e @ 0x13f40199e
giudichera+0x3c06 @ 0x13f3f3c06
giudichera+0x2b21 @ 0x13f3f2b21
giudichera+0x251d6 @ 0x13f4151d6
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76e5652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x771ec521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x772840f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x772840f2
registers.r14: 0
registers.r15: 0
registers.rcx: 6023040
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 6159504
registers.r11: 646
registers.r8: 2020404745263130925
registers.r9: 245032040
registers.rdx: 1999615056
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2004624081
registers.r13: 0
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000735bc000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000735bc000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000735bc000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1240
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\CfwsVStDRa\yjrZRYDkDUTY.js
file C:\Users\test22\AppData\Roaming\Giudichera.exe.com
file C:\Users\test22\AppData\Local\Temp\nsy6693.tmp\nsExec.dll
file C:\Users\test22\AppData\Roaming\CfwsVStDRa\XcpyUaDvAz.exe.com
file C:\Users\test22\AppData\Local\Temp\nsy6693.tmp\nsExec.dll
section {u'size_of_data': u'0x0000a600', u'virtual_address': u'0x00038000', u'entropy': 7.375472351296549, u'name': u'.rsrc', u'virtual_size': u'0x0000a50c'} entropy 7.3754723513 description A section with a high entropy has been found
entropy 0.56462585034 description Overall entropy of this PE file is high
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url http://www.passport.com
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Hijack network configuration rule Hijack_Network
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
cmdline ping localhost
buffer Buffer with sha1: e6d34ebe9a2335138dbede4d75517e47940744d2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 471040
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000090000
process_handle: 0x00000000000001f8
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XcpyUaDvAz.url
Process injection Process 1240 manipulating memory of non-child process 2260
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 471040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x0000000000090000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000001f8
1 0 0

NtProtectVirtualMemory

 process_identifier: 2260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 471040
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000090000
process_handle: 0x00000000000001f8
1 0 0
Process injection Process 1240 injected into non-child 2260
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: ÿÿÿÿÿÿÿÿ Nÿþûÿÿ(üÿÿPýÿÿ€›mèÿÿ €óýÿÿ±
base_address: 0x000007fffffdf000
process_identifier: 2260
process_handle: 0x00000000000001f8
1 1 0
Bkav W32.AIDetect.malware2
Lionic Trojan.Multi.Generic.4!c
Elastic malicious (high confidence)
Cylance Unsafe
Alibaba Backdoor:Win32/Generic.53f9bb43
Cybereason malicious.662b13
APEX Malicious
Paloalto generic.ml
Kaspersky Backdoor.Win32.Agent.myudsu
Avast Win32:Malware-gen
McAfee-GW-Edition BehavesLike.Win32.Dropper.tc
Kingsoft Win32.Hack.Agent.(kcloud)
ZoneAlarm Backdoor.Win32.Agent.myudsu
Microsoft Trojan:Win32/Wacatac.B!ml
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win.Generic.C4629929
McAfee Artemis!7924C098F35B
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_70% (W)
Process injection Process 1240 called NtSetContextThread to modify thread in remote process 2260
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 727244
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 5307912
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092887040
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000001f0
process_identifier: 2260
1 0 0
Process injection Process 2888 resumed a thread in remote process 3028
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000094
suspend_count: 0
process_identifier: 3028
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 3016
thread_handle: 0x000001f4
process_identifier: 1836
current_directory:
filepath:
track: 1
command_line: "cmd" /c cmd < Piccola.midi
filepath_r:
stack_pivoted: 0
creation_flags: 16 (CREATE_NEW_CONSOLE)
inherit_handles: 1
process_handle: 0x000001f8
1 1 0

CreateProcessInternalW

 thread_identifier: 2936
thread_handle: 0x0000008c
process_identifier: 2888
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: cmd
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2932
thread_handle: 0x00000090
process_identifier: 1048
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Windows\System32\findstr.exe
track: 1
command_line: findstr /V /R "^HxNAhHnzgccRfiRyBQUbbGFPSqZOowPRbjMUyXAssdZVpvNXNjCWIBZwOYHhHJljFDxrxWqDdCuiGKGvjewWmTpVhLyudhJHyMfFeKCQkYGycR$" Declinante.midi
filepath_r: C:\Windows\system32\findstr.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000009c
1 1 0

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x00000094
process_identifier: 3028
current_directory:
filepath: C:\Users\test22\AppData\Roaming\Giudichera.exe.com
track: 1
command_line: Giudichera.exe.com M
filepath_r: C:\Users\test22\AppData\Roaming\Giudichera.exe.com
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000009c
1 1 0

NtResumeThread

 thread_handle: 0x00000094
suspend_count: 0
process_identifier: 3028
1 0 0

CreateProcessInternalW

 thread_identifier: 1456
thread_handle: 0x0000009c
process_identifier: 1892
current_directory: C:\Users\test22\AppData\Roaming
filepath: C:\Windows\System32\PING.EXE
track: 1
command_line: ping localhost
filepath_r: C:\Windows\system32\PING.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2660
thread_handle: 0x000000000000011c
process_identifier: 2312
current_directory: C:\Users\test22\AppData\Roaming
filepath:
track: 1
command_line: C:\Users\test22\AppData\Roaming\Giudichera.exe.com M
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000000000000120
1 1 0

CreateProcessInternalW

 thread_identifier: 2144
thread_handle: 0x0000000000000110
process_identifier: 1240
current_directory: C:\Users\test22\AppData\Roaming
filepath:
track: 1
command_line: C:\Users\test22\AppData\Roaming\Giudichera.exe.com M
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000000000000114
1 1 0

CreateProcessInternalW

 thread_identifier: 540
thread_handle: 0x00000000000001f0
process_identifier: 2260
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Roaming\Giudichera.exe.com
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000000000001f8
1 1 0

NtGetContextThread

 thread_handle: 0x00000000000001f0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2260
region_size: 471040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 4 (PAGE_READWRITE)
base_address: 0x0000000000090000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000000000001f8
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x0000000000090000
process_identifier: 2260
process_handle: 0x00000000000001f8
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿÿÿÿÿ Nÿþûÿÿ(üÿÿPýÿÿ€›mèÿÿ €óýÿÿ±
base_address: 0x000007fffffdf000
process_identifier: 2260
process_handle: 0x00000000000001f8
1 1 0

NtSetContextThread

 registers.r14: 0
registers.r15: 0
registers.rcx: 727244
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 5307912
registers.r11: 0
registers.r8: 0
registers.r9: 0
registers.rip: 1998505216
registers.rdx: 8796092887040
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 0
registers.r13: 0
thread_handle: 0x00000000000001f0
process_identifier: 2260
1 0 0