popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

soulorg3.1.exe

Malicious Library Downloader UPX PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 28, 2022, 9:22 a.m. Oct. 28, 2022, 9:25 a.m.
Size 452.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 b1e6f07a9f6a26d039fe14000611c8d6
SHA256 9ee91e25213f680f3737997ae755c6cd3972738f60f19a4e6218fc8c0fa52f9c
CRC32 5828EA67
ssdeep 6144:NweE41oagx/+iFGnIEDZWgTVRGsKr46wfQLl8XFIXE7Elh2:mGIQWgKbMSl6I04e
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
steam007.duckdns.org
A 91.192.100.7
91.192.100.7
IP Address Status Action
164.124.101.2 Active Moloch
91.192.100.7 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53 2022918 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
domain steam007.duckdns.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2756
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004150000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\lsdmzpuaiz.exe
file C:\Users\test22\AppData\Roaming\ypvc\whfwofnovxc.exe
file C:\Users\test22\AppData\Roaming\ypvc\whfwofnovxc.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xbclrsbxlwqa reg_value C:\Users\test22\AppData\Roaming\ypvc\whfwofnovxc.exe "C:\Users\test22\AppData\Local\Temp\lsdmzpuaiz.exe"
Process injection Process 2756 called NtSetContextThread to modify thread in remote process 2832
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 2029800
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f8
process_identifier: 2832
1 0 0
Lionic Trojan.Win32.GenericML.4!c
MicroWorld-eScan Trojan.Garf.Gen.10
FireEye Generic.mg.b1e6f07a9f6a26d0
ALYac Trojan.NSISX.Spy.Gen.24
Cylance Unsafe
VIPRE Trojan.Garf.Gen.10
Sangfor Trojan.Win32.Injector.ESES
Alibaba TrojanPSW:Win32/Stealer.771222cb
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Garf.Gen.10 [many]
Cyren W32/Injector.BDH.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESES
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 99)
Kaspersky UDS:Trojan.Win32.GenericML.xnet
BitDefender Trojan.Garf.Gen.10
Avast Win32:InjectorX-gen [Trj]
Rising Trojan.Generic@AI.94 (RDML:O2Hu3wYM1zf/DrmzHTTc3Q)
Emsisoft Trojan.Garf.Gen.10 (B)
McAfee-GW-Edition NSIS/ObfusInjector.h
Jiangmin Trojan.Shelma.nbo
Avira HEUR/AGEN.1213051
MAX malware (ai score=100)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Win32.Trojan.PSE.HL57Z2
Google Detected
AhnLab-V3 Trojan/Win.TrojanX-gen.R531816
McAfee Artemis!B1E6F07A9F6A
Malwarebytes Trojan.Win32.Generic
Tencent Win32.Trojan-QQPass.QQRob.Tnkl
Ikarus Trojan.Inject
Fortinet W32/Injector.ESES!tr
BitDefenderTheta Gen:NN.ZexaF.34754.eqW@aSSK2yd
AVG Win32:InjectorX-gen [Trj]
Cybereason malicious.930337
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49169
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49179
dead_host 192.168.56.101:49168
dead_host 192.168.56.101:49178
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49177
dead_host 91.192.100.7:6548
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49173
dead_host 192.168.56.101:49172
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49174