popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

po kipo000903 ( kind122822 ).exe

Malicious Library UPX OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 19, 2022, 11:11 a.m. May 19, 2022, 11:13 a.m.
Size 198.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 22bde89a8afcad7436370bcbc8a6b1ea
SHA256 d2c7dcc32790d18dbc53c496d2fc1fc26ba7ed11cd018ab9baa0b58108077b72
CRC32 49053A9C
ssdeep 6144:ZYa6VWVy9U9kxdLqj6qrc1fd5NZfQQRE32bZA:ZYDWVCUSLqj6qrch5eQR7ZA
Yara
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49168 -> 213.186.33.5:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 213.186.33.5:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 213.186.33.5:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 156.241.118.187:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 156.241.118.187:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 203.146.252.150:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 156.241.118.187:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 203.146.252.150:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 203.146.252.150:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 208.91.197.91:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 208.91.197.91:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 208.91.197.91:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 34.102.136.180:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49176 -> 209.74.108.198:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 162.0.216.71:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 162.0.216.71:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 162.0.216.71:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 103.224.182.242:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 103.224.182.242:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 103.224.182.242:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 104.21.73.18:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 104.21.73.18:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 104.21.73.18:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.manly-inc.net/tgdh/?oXL=T2hyiT4yGRSJySXgvQ92ynvHZeFzcAvRrmHKTRNyhOIVdtUvfNniaBMnD2YE3Kp/ivsTupKs&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.progress-storage.com/tgdh/?oXL=1JFI+sqiJ53F/4r74AU6bnX0zMJGF2EjLTuIZSF/OAKO4l5yELQ4TKKxTaKAtUH5lAUlWY7l&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.lychee.solutions/tgdh/?oXL=UlKbuswi2Y15wEsv3lQ89d1PQ+7W2P8S37KfK5fMXAO8xBwAZ7A9X+0QBphQ8KC7Yj0SKJjN&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.youruaect.com/tgdh/?oXL=tZMPgU44/UyTvdlqydmrTmAWwCRIROfEbKPJDsOmrPCduNJSVa0bYRNrW2VwMflX5av73nuO&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.vernshandmade.com/tgdh/?oXL=bQnQKnB1Ss+iIFTY4P53xmPXEpjrMWsWSs3GF18+WwXvqWynx9MRCd3hJcujecrJ+mv2Gevf&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.disneyy.online/tgdh/?oXL=yTnVb2tg7ARKFX050KVe//mT5Ff12juh011QKHkYix65bxDVqf807Xrt0Hcx6eNyVazFzzpR&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.smonique.com/tgdh/?oXL=6IzDNvq36e1W8CiJ1NlVZuy5vYNCYHHTzCVE35nOSEe2qUNdEDdqHjuFWccjs6VEiGwwaE+o&GFNL6=9rzX0zMPGJe
suspicious_features GET method with no useragent header suspicious_request GET http://www.socialcrayons.com/tgdh/?oXL=AkIp2eED1pFiXkYOGYOKBgSrvoJlM7uPGyhWbVOCo5bSOQOUdmVeAfL8gFnbOTwfh1JuFvs5&GFNL6=9rzX0zMPGJe&5yJZ=qPX87RDh
suspicious_features GET method with no useragent header suspicious_request GET http://www.stickscollar.com/tgdh/?oXL=acGlUfVkWmWVflw+xL35pCNy6pbIrLuDAngQu8VWTg1Pd/+K/gQWDJIUeRN5jeJoZfAMJ4xt&GFNL6=9rzX0zMPGJe&NHpC=KtxXAba0
request GET http://www.manly-inc.net/tgdh/?oXL=T2hyiT4yGRSJySXgvQ92ynvHZeFzcAvRrmHKTRNyhOIVdtUvfNniaBMnD2YE3Kp/ivsTupKs&GFNL6=9rzX0zMPGJe
request GET http://www.progress-storage.com/tgdh/?oXL=1JFI+sqiJ53F/4r74AU6bnX0zMJGF2EjLTuIZSF/OAKO4l5yELQ4TKKxTaKAtUH5lAUlWY7l&GFNL6=9rzX0zMPGJe
request GET http://www.lychee.solutions/tgdh/?oXL=UlKbuswi2Y15wEsv3lQ89d1PQ+7W2P8S37KfK5fMXAO8xBwAZ7A9X+0QBphQ8KC7Yj0SKJjN&GFNL6=9rzX0zMPGJe
request GET http://www.youruaect.com/tgdh/?oXL=tZMPgU44/UyTvdlqydmrTmAWwCRIROfEbKPJDsOmrPCduNJSVa0bYRNrW2VwMflX5av73nuO&GFNL6=9rzX0zMPGJe
request GET http://www.vernshandmade.com/tgdh/?oXL=bQnQKnB1Ss+iIFTY4P53xmPXEpjrMWsWSs3GF18+WwXvqWynx9MRCd3hJcujecrJ+mv2Gevf&GFNL6=9rzX0zMPGJe
request GET http://www.disneyy.online/tgdh/?oXL=yTnVb2tg7ARKFX050KVe//mT5Ff12juh011QKHkYix65bxDVqf807Xrt0Hcx6eNyVazFzzpR&GFNL6=9rzX0zMPGJe
request GET http://www.smonique.com/tgdh/?oXL=6IzDNvq36e1W8CiJ1NlVZuy5vYNCYHHTzCVE35nOSEe2qUNdEDdqHjuFWccjs6VEiGwwaE+o&GFNL6=9rzX0zMPGJe
request POST http://www.socialcrayons.com/tgdh/
request GET http://www.socialcrayons.com/tgdh/?oXL=AkIp2eED1pFiXkYOGYOKBgSrvoJlM7uPGyhWbVOCo5bSOQOUdmVeAfL8gFnbOTwfh1JuFvs5&GFNL6=9rzX0zMPGJe&5yJZ=qPX87RDh
request POST http://www.stickscollar.com/tgdh/
request GET http://www.stickscollar.com/tgdh/?oXL=acGlUfVkWmWVflw+xL35pCNy6pbIrLuDAngQu8VWTg1Pd/+K/gQWDJIUeRN5jeJoZfAMJ4xt&GFNL6=9rzX0zMPGJe&NHpC=KtxXAba0
request POST http://www.socialcrayons.com/tgdh/
request POST http://www.stickscollar.com/tgdh/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74252000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1336
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2168
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02010000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe
file C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe
file C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000b4
1 0 0
Process injection Process 1336 called NtSetContextThread to modify thread in remote process 2328
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005139908
registers.esp: 1638384
registers.edi: 0
registers.eax: 4322000
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b0
process_identifier: 2328
1 0 0
dead_host 160.124.149.174:80
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2276
thread_handle: 0x000001f4
process_identifier: 1336
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe C:\Users\test22\AppData\Local\Temp\nkhbfy
filepath_r:
stack_pivoted: 0
creation_flags: 67108864 (CREATE_DEFAULT_ERROR_MODE)
inherit_handles: 0
process_handle: 0x000001fc
1 1 0

CreateProcessInternalW

 thread_identifier: 2312
thread_handle: 0x000000b0
process_identifier: 2328
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe C:\Users\test22\AppData\Local\Temp\nkhbfy
filepath_r: C:\Users\test22\AppData\Local\Temp\ayyjkoh.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000b4
1 1 0

NtGetContextThread

 thread_handle: 0x000000b0
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000b4
1 0 0

NtSetContextThread

 registers.eip: 2005139908
registers.esp: 1638384
registers.edi: 0
registers.eax: 4322000
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b0
process_identifier: 2328
1 0 0

CreateProcessInternalW

 thread_identifier: 2100
thread_handle: 0x0000004c
process_identifier: 2168
current_directory:
filepath: C:\Windows\SysWOW64\raserver.exe
track: 1
command_line:
filepath_r: C:\Windows\SysWOW64\raserver.exe
stack_pivoted: 0
creation_flags: 134217740 (CREATE_NO_WINDOW|CREATE_SUSPENDED|DETACHED_PROCESS)
inherit_handles: 0
process_handle: 0x000000bc
1 1 0
Bkav W32.AIDetect.malware1
Lionic Trojan.Multi.Generic.4!c
DrWeb Trojan.Siggen17.52383
MicroWorld-eScan Trojan.NSISX.Spy.Gen.4
FireEye Generic.mg.22bde89a8afcad74
ALYac Trojan.NSISX.Spy.Gen.4
Cylance Unsafe
Sangfor [NULLSOFT PIMP INSTALL SYSTEM2]
K7GW Trojan ( 00592f011 )
Cybereason malicious.372aca
Arcabit Trojan.NSISX.Spy.Gen.4
Cyren W32/Trojan.QQUK-5462
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ERQP
TrendMicro-HouseCall TROJ_GEN.R002H0DEH22
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.NSISX.Spy.Gen.4
Avast Win32:InjectorX-gen [Trj]
Tencent Win32.Trojan-spy.Noon.Hqvt
Emsisoft Trojan.NSISX.Spy.Gen.4 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.cc
SentinelOne Static AI - Malicious PE
Sophos Mal/Generic-S
Ikarus Trojan-Spy.Agent
Avira TR/AD.Swotter.qzqip
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/Lokibot.ANRF!MTB
GData Win32.Trojan.PSE.Z3NZES
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.NSISInject.R492809
McAfee RDN/Generic.dx
VBA32 BScope.Trojan.Winlock
Malwarebytes Trojan.Injector
APEX Malicious
Rising Trojan.Injector!8.C4 (CLOUD)
MAX malware (ai score=87)
Fortinet W32/Agent.ERNF!tr
AVG Win32:InjectorX-gen [Trj]
CrowdStrike win/malicious_confidence_100% (W)