popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dj.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 19, 2022, 11:10 a.m. May 19, 2022, 11:20 a.m.
Size 214.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 dd6738b8bd7f1450c7c21f6bd71b6fa2
SHA256 58dc8fe3046450ddf0e00d1076440c4357f46a6829c41b85f8aa0345d51887c7
CRC32 DB310B54
ssdeep 3072:VfY/TU9fE9PEtunb8z/nbBaC3oGfkmR5ooWj/+nswgLPoHp/kkUhfL0h3smO/v1g:ZYa6V8z/nNIGfkGoo8zNPKp0lQ5sF187
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 64.98.145.30:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 64.98.145.30:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 64.98.145.30:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 209.141.38.71:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 209.141.38.71:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 209.141.38.71:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 209.141.38.71:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.fastonlineprescriptions.com/lt17/?jFN8ld=73rk+orgEpy27+zMAaMQJFeW88Y512m4PCXKYgKW50mcSxWU82Z5cEbtPVfpZQYZiaxiMB9D&Ppm=_0GDCjlXRtrXu
suspicious_features GET method with no useragent header suspicious_request GET http://www.davispp.com/lt17/?jFN8ld=3vga1QHbs5IZQDecmeBRzvB7X4cN9V512nUQDaYLNb3NDtIUZSfjVgh1loWuVKPGH5opG13N&Ppm=_0GDCjlXRtrXu
suspicious_features GET method with no useragent header suspicious_request GET http://www.ontopoetics.com/lt17/?jFN8ld=nZgEXS+oZtvzQ5r51wVjH6BjRJ2Rw1axQ+lriXHyh4vc/hxz0aIffk2tcbCYWJV+PA0U6TQR&Ppm=_0GDCjlXRtrXu
suspicious_features GET method with no useragent header suspicious_request GET http://www.tzxc3441.xyz/lt17/?jFN8ld=CsYv+VTVNUh00Baw9JVYtpO333zQB1BV7Yd43ApDKy0wiwpbKszaan16DSpNCvzEWgZesUAC&Ppm=_0GDCjlXRtrXu
request GET http://www.fastonlineprescriptions.com/lt17/?jFN8ld=73rk+orgEpy27+zMAaMQJFeW88Y512m4PCXKYgKW50mcSxWU82Z5cEbtPVfpZQYZiaxiMB9D&Ppm=_0GDCjlXRtrXu
request GET http://www.davispp.com/lt17/?jFN8ld=3vga1QHbs5IZQDecmeBRzvB7X4cN9V512nUQDaYLNb3NDtIUZSfjVgh1loWuVKPGH5opG13N&Ppm=_0GDCjlXRtrXu
request GET http://www.ontopoetics.com/lt17/?jFN8ld=nZgEXS+oZtvzQ5r51wVjH6BjRJ2Rw1axQ+lriXHyh4vc/hxz0aIffk2tcbCYWJV+PA0U6TQR&Ppm=_0GDCjlXRtrXu
request GET http://www.tzxc3441.xyz/lt17/?jFN8ld=CsYv+VTVNUh00Baw9JVYtpO333zQB1BV7Yd43ApDKy0wiwpbKszaan16DSpNCvzEWgZesUAC&Ppm=_0GDCjlXRtrXu
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2872
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2936
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ba0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\xbbljvli.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 172.67.188.70
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2936
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000f0
1 0 0
Process injection Process 2872 called NtSetContextThread to modify thread in remote process 2936
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 3800560
registers.edi: 0
registers.eax: 4321664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000ec
process_identifier: 2936
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2876
thread_handle: 0x000001f4
process_identifier: 2872
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\xbbljvli.exe C:\Users\test22\AppData\Local\Temp\kviylkodr
filepath_r:
stack_pivoted: 0
creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE)
inherit_handles: 0
process_handle: 0x000001fc
1 1 0

CreateProcessInternalW

 thread_identifier: 2940
thread_handle: 0x000000ec
process_identifier: 2936
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\xbbljvli.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\xbbljvli.exe C:\Users\test22\AppData\Local\Temp\kviylkodr
filepath_r: C:\Users\test22\AppData\Local\Temp\xbbljvli.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000f0
1 1 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2936
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000f0
1 0 0

NtSetContextThread

 registers.eip: 2003108292
registers.esp: 3800560
registers.edi: 0
registers.eax: 4321664
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000ec
process_identifier: 2936
1 0 0
DrWeb Trojan.Siggen17.52874
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.dd6738b8bd7f1450
ALYac Gen:Variant.Ulise.361632
Malwarebytes Trojan.Injector
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
Alibaba Trojan:Win32/Lokibot.3241a54f
K7GW Trojan ( 00592f9f1 )
Cybereason malicious.58a8f9
BitDefenderTheta Gen:NN.ZexaE.34682.amW@aiLM1dg
Cyren W32/Trojan.QQUK-5462
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ERQS
TrendMicro-HouseCall TROJ_FRS.0NA104EI22
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.NSISX.Spy.Gen.2
Avast Win32:InjectorX-gen [Trj]
Tencent Win32.Trojan-spy.Noon.Wtnj
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Agent
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Lokibot.ANRF!MTB
ZoneAlarm HEUR:Trojan-Spy.Win32.Noon.gen
GData Gen:Variant.Ulise.361632
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.NSISInject.R492809
Acronis suspicious
McAfee Artemis!DD6738B8BD7F
MAX malware (ai score=80)
VBA32 BScope.Trojan.Winlock
Cylance Unsafe
APEX Malicious
Rising Trojan.Injector!8.C4 (CLOUD)
SentinelOne Static AI - Malicious PE
Fortinet W32/Agent.ERNF!tr
AVG Win32:InjectorX-gen [Trj]
CrowdStrike win/malicious_confidence_90% (W)