popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

soso.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 10, 2022, 2:43 p.m. Dec. 10, 2022, 2:58 p.m.
Size 530.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 e17b0be6e0c42a0c39c5da63523af8d8
SHA256 7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
CRC32 452C28F0
ssdeep 6144:ukwxeWkEM+08FjAOpwh0eEnt4KHz/aOfL40QfkhzJtnXXXdxspXEWYUPwH:IHM+bsOpwh0lnt4NgIMhz3nHXTsmoPwH
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 104.21.69.166:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 104.21.69.166:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 104.21.69.166:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.53.179.174:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.53.179.174:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 163.197.224.28:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 185.53.179.174:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 163.197.224.28:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 163.197.224.28:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 199.15.163.128:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 199.15.163.128:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 199.15.163.128:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.coffeeforyou56.com/wh23/?u6Ad=+Z/9GnRooy4uMI/2ytyzBxmfIRzkEihmLnUbG9gon5BvVZqaawbrlsvFopSkMy8/ynATbtGm&9rQl7P=xPJtLXbP
suspicious_features GET method with no useragent header suspicious_request GET http://www.lesyeuxdanslespoches.com/wh23/?u6Ad=2UBdbPyJ3BJ1PizOWtFy1nFuYMz29j0z90R/CygIgf7oXdu1OYqDC0mFcr3+ZljEfmCRWGcD&9rQl7P=xPJtLXbP
suspicious_features GET method with no useragent header suspicious_request GET http://www.floridaindianrivergeoves.com/wh23/?u6Ad=HQs9sY6MfmjvG4BCT+S8X4weKQ3jHGmqz4mij5NJ3M2nb+7m/H8tNbVgpdoIwpufVMaXPBq3&9rQl7P=xPJtLXbP
suspicious_features GET method with no useragent header suspicious_request GET http://www.suratdimond.com/wh23/?u6Ad=jUJ7bRHoxkHA5rahzGpJGSe+g9rlOc6E7RlDBgSrRJk0jchNThhp3wI7m3+F7bQyA0QFLd33&9rQl7P=xPJtLXbP
request GET http://www.coffeeforyou56.com/wh23/?u6Ad=+Z/9GnRooy4uMI/2ytyzBxmfIRzkEihmLnUbG9gon5BvVZqaawbrlsvFopSkMy8/ynATbtGm&9rQl7P=xPJtLXbP
request GET http://www.lesyeuxdanslespoches.com/wh23/?u6Ad=2UBdbPyJ3BJ1PizOWtFy1nFuYMz29j0z90R/CygIgf7oXdu1OYqDC0mFcr3+ZljEfmCRWGcD&9rQl7P=xPJtLXbP
request GET http://www.floridaindianrivergeoves.com/wh23/?u6Ad=HQs9sY6MfmjvG4BCT+S8X4weKQ3jHGmqz4mij5NJ3M2nb+7m/H8tNbVgpdoIwpufVMaXPBq3&9rQl7P=xPJtLXbP
request GET http://www.suratdimond.com/wh23/?u6Ad=jUJ7bRHoxkHA5rahzGpJGSe+g9rlOc6E7RlDBgSrRJk0jchNThhp3wI7m3+F7bQyA0QFLd33&9rQl7P=xPJtLXbP
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 4001792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e70000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2140
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00590000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2184
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\myxwn.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2140 called NtSetContextThread to modify thread in remote process 2184
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321552
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 2184
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Jaik.77520
FireEye Gen:Variant.Jaik.77520
CrowdStrike win/malicious_confidence_90% (D)
Arcabit Trojan.Jaik.D12ED0
Symantec ML.Attribute.HighConfidence
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky VHO:Trojan.Win32.FormBook.gen
BitDefender Gen:Variant.Jaik.77520
Ad-Aware Gen:Variant.Jaik.77520
Emsisoft Gen:Variant.Jaik.77520 (B)
VIPRE Gen:Variant.Jaik.77520
MAX malware (ai score=81)
Antiy-AVL Trojan/NSIS.Formbook.a
ZoneAlarm VHO:Trojan.Win32.FormBook.gen
GData Gen:Variant.Jaik.77520
Google Detected
BitDefenderTheta Gen:NN.ZexaF.36106.rqW@a4XKZKo
Malwarebytes Malware.AI.4239435998
Rising Trojan.Injector!8.C4 (TFE:1:Gm8DD6ShD4R)
Ikarus Trojan.NSIS.Injector
Fortinet W32/Injector.ESIU!tr
Cybereason malicious.cf78e7