popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis
Gen1 Malicious Library Malicious Packer Downloader Antivirus task schedule UPX HTTP DNS ScreenShot Create Service KeyLogger Internet API P2P DGA Hijack Network persistence Socket Escalate priviledges Code injection PWS SSL Sniff Audio Steal credential
  1. Resubmit sample
Category Machine Started Completed
ARCHIVE s1_win7_x6402 Oct. 12, 2022, 8:11 a.m. Oct. 12, 2022, 8:20 a.m.

Archive Notafiscal-gtfbp-10144-PLFNV.exe @ Notafiscal-ahasf-76405-HOYLO.zip

Summary

Size 346.7MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 8ddd50069956806ee60f17adef6ec21c
SHA1 c7a2db0c695a99c0004dc00d5b140f88114fac8d
SHA256 9761cb197cd5c09bea81969a249bf20cd09a6cce2a52b7d86fb4d166a8a7474e
SHA512
2910acedd26d63f8d9e5dd3f0a465a3d8c8d370e54c3abb32064fdd3c72944f77a1717f533b5ebe7ffce7bcf34a2401879dc0863dda6e528c72ae326053fdbe0
CRC32 9DE4134B
ssdeep 98304:fCLgXiZcEpAzBDdOVqcO+llHUbvTmRgkTWkA+Txa72lCcjjkc:4vA0McO+47ibLxvdjkc
Yara
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer

Name Response Post-Analysis Lookup
ameizingbrazil2022.s3.sa-east-1.amazonaws.com
A 52.95.163.75
CNAME s3-r-w.sa-east-1.amazonaws.com
52.95.164.43
IP Address Status Action
142.250.196.106 Active Moloch
142.250.196.110 Active Moloch
142.250.206.234 Active Moloch
142.250.206.238 Active Moloch
142.250.207.13 Active Moloch
142.250.207.35 Active Moloch
142.251.42.131 Active Moloch
172.217.161.36 Active Moloch
172.217.31.163 Active Moloch
164.124.101.2 Active Moloch
20.70.3.186 Active Moloch
52.95.163.75 Active Moloch
216.58.220.110 Active Moloch
34.104.35.123 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .symtab
suspicious_features Connection to IP address suspicious_request GET http://20.70.3.186/migaldiscovery/ybnzkvj.php
request GET http://20.70.3.186/migaldiscovery/ybnzkvj.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4182016
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 9117696
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ee000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02180000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\Wizard.exe
file C:\Users\test22\SxShellExtX64.dll
file C:\Users\test22\StuffItConnect.dll
file C:\Users\test22\StuffItEngine.dll
file C:\Users\test22\Stuffit14.exe
file C:\Users\test22\CmdLine.exe
file C:\Users\test22\Common.dll
file C:\Users\test22\StarBurn.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000358
process_name: WmiPrvSE.exe
process_identifier: 1324
1 1 0
section {u'size_of_data': u'0x00065e00', u'virtual_address': u'0x0049b000', u'entropy': 7.995590038544248, u'name': u'/19', u'virtual_size': u'0x00065dfe'} entropy 7.99559003854 description A section with a high entropy has been found
section {u'size_of_data': u'0x00011000', u'virtual_address': u'0x00501000', u'entropy': 7.978164827311165, u'name': u'/32', u'virtual_size': u'0x00010e5d'} entropy 7.97816482731 description A section with a high entropy has been found
section {u'size_of_data': u'0x000a2000', u'virtual_address': u'0x00513000', u'entropy': 7.996960376558501, u'name': u'/65', u'virtual_size': u'0x000a1fa1'} entropy 7.99696037656 description A section with a high entropy has been found
section {u'size_of_data': u'0x00094000', u'virtual_address': u'0x005b5000', u'entropy': 7.9959849421280245, u'name': u'/78', u'virtual_size': u'0x00093f7d'} entropy 7.99598494213 description A section with a high entropy has been found
section {u'size_of_data': u'0x0002aa00', u'virtual_address': u'0x00649000', u'entropy': 7.938451859629083, u'name': u'/90', u'virtual_size': u'0x0002a91f'} entropy 7.93845185963 description A section with a high entropy has been found
entropy 0.277393734373 description Overall entropy of this PE file is high
url http://my.smithmicro.com/win/stuffitexpander/download.html
url http://purl.org/rss/1.0/
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://www.passport.com
url http://crl.comodo.net/TrustedCertificateServices.crl0
url http://www.stuffit.com
url http://www.smithmicro.com
url http://www.e-szigno.hu/RootCA.crt0
url http://crl.identrust.com/DSTROOTCAX3CRL.crl0
url https://www.verisign.com/rpa
url http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url http://ocsp.rootg2.amazontrust.com08
url http://cert.startcom.org/policy.pdf0
url http://www.disig.sk/ca/crl/ca_disig.crl0
url http://crl.securetrust.com/SGCA.crl0
url http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url http://www.ssc.lt/cps03
url http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url http://crt.comodoca.com/COMODORSAAddTrustCA.crt0
url http://users.ocsp.d-trust.net03
url http://crl.startcom.org/sfsca-crl.crl0
url http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url http://crl.comodo.net/AAACertificateServices.crl0
url http://www.pkioverheid.nl/policies/root-policy0
url http://cps.chambersign.org/cps/chambersroot.html0
url https://rca.e-szigno.hu/ocsp0-
url http://www.entrust.net/CRL/Client1.crl0
url http://crl.chambersign.org/publicnotaryroot.crl0
url https://www.verisign.com/rpa01
url http://ocsp.comodoca.com0
url http://logo.verisign.com/vslogo.gif0
url https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url http://crl.verisign.com/tss-ca.crl0
url http://www.acabogacia.org/doc0
url http://www.e-szigno.hu/SZSZ/0
url http://crl.ssc.lt/root-b/cacrl.crl0
url http://isrg.trustid.ocsp.identrust.com0
url https://www.verisign.com/rpa0
url http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
url http://crl.securetrust.com/STCA.crl0
url https://www.catcert.net/verarrel05
url http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url http://ocsp.sca1b.amazontrust.com06
url http://s.ss2.us/r.crl0
url http://ca.sia.it/secsrv/repository/CRL.der0J
url http://crl.globalsign.net/root-r2.crl0
url http://certificates.starfieldtech.com/repository/1604
url http://crt.sca1b.amazontrust.com/sca1b.crt0
url http://www.d-trust.net0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over SSL rule Network_SSL
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Steal credential rule local_credential_Steal
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description File Downloader rule Network_Downloader
description task schedule rule schtasks_Zero
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description (no description) rule Check_Qemu_Description
description (no description) rule Check_VBox_Description
description (no description) rule Check_VBox_VideoDrivers
description Possibly employs anti-virtualization techniques rule vmdetect
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Match Windows Http API call rule Str_Win32_Http_API
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Hijack network configuration rule Hijack_Network
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
host 142.250.196.106
host 142.250.196.110
host 142.250.206.234
host 142.250.206.238
host 142.250.207.13
host 142.250.207.35
host 142.251.42.131
host 172.217.161.36
host 172.217.31.163
host 20.70.3.186
host 216.58.220.110
host 34.104.35.123
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
file C:\Users\test22\CmdLine.exe
url http://20.70.3.186/migaldiscovery/ybnzkvj.phpinvalid
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0018fe29
function_name: wine_get_version
module: ntdll
module_address: 0x77470000
3221225785 0
Time & API Arguments Status Return Repeated

NtGetContextThread

 thread_handle: 0x000000f0
1 0 0

NtResumeThread

 thread_handle: 0x000000f0
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtSetContextThread

 registers.eip: 4602464
registers.esp: 311113904
registers.edi: 0
registers.eax: 0
registers.ebp: 752297169
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000320
process_identifier: 3064
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtSetContextThread

 registers.eip: 4602464
registers.esp: 311114028
registers.edi: 0
registers.eax: 0
registers.ebp: 15568
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000320
process_identifier: 3064
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000320
1 0 0

NtResumeThread

 thread_handle: 0x00000320
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000324
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 3064
1 0 0

NtGetContextThread

 thread_handle: 0x00000324
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 3064
1 0 0