popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

OV DU 220722.PDF.js

Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 26, 2022, 9:55 a.m. Aug. 26, 2022, 9:57 a.m.
Size 523.2KB
Type ASCII text, with very long lines, with no line terminators
MD5 49bf7b5a02c13cc0b3e7cce7bfebc5b4
SHA256 8674962627e47e287f9bcd17b56d6ea3efc32306f62a643a60dccf35e85eb061
CRC32 476D8747
ssdeep 6144:bt6i4OoA2Cop8sXCybvofXEvQ454VbLgzF/OMUDiTJo4x7E7xSi4STt+in4Xtypj:Z7lt2Ss7zvUVbLgp/fWxSi4YHDZJ1
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
143.198.133.245 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2316
region_size: 253952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description LANCEMENT.exe tried to sleep 171 seconds, actually delayed analysis time by 171 seconds
file C:\Users\test22\AppData\Roaming\hFINgWEGSB.js
file C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe
file C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 212992
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x009d0000
process_handle: 0xffffffff
1 0 0
host 143.198.133.245
file C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe
parent_process wscript.exe martian_process "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\hFINgWEGSB.js"
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe"
parent_process wscript.exe martian_process wscript //B "C:\Users\test22\AppData\Roaming\hFINgWEGSB.js"
Lionic Trojan.Script.Generic.b!c
DrWeb Trojan.MulDrop20.45409
FireEye Trojan.GenericKD.61448550
CAT-QuickHeal JS.Nemucod.BGF
VIPRE Trojan.GenericKD.61448550
Cyren ABRisk.YUWJ-5
Symantec Backdoor.Cobalt
Avast Other:Malware-gen [Trj]
Kaspersky HEUR:Trojan-Dropper.Script.Generic
BitDefender Trojan.GenericKD.61448550
NANO-Antivirus Trojan.Script.Dropper.foxxbq
MicroWorld-eScan Trojan.GenericKD.61448550
Ad-Aware Trojan.GenericKD.61448550
Emsisoft Trojan.GenericKD.61448550 (B)
Microsoft Trojan:Win32/Leonem
Arcabit Trojan.Generic.D3A9A166
GData Trojan.GenericKD.61448550
Google Detected
ALYac Trojan.GenericKD.61448550
VBA32 suspected of JS.Crypted.Heur
Ikarus Trojan.Script
AVG Other:Malware-gen [Trj]
dead_host 143.198.133.245:443
file C:\Users\test22\AppData\Local\Temp\LANCEMENT.exe
file C:\Windows\SysWOW64\wscript.exe