popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mcland2.1.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 13, 2022, 5:11 p.m. Dec. 13, 2022, 5:13 p.m.
Size 260.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 2b5f1f5cd70efed5a883ce05b9ce336a
SHA256 d38f58de7af51ac311b23e3f813e8c33599df3f5fe78661fd8b50b90b7805b22
CRC32 DE6BA30C
ssdeep 6144:9kwwlxAYnZCvM1ZkvvI5A0iSCUN3aUbUVwc3II2cEuv7:C6Y8vMaI55oUN35722cEU
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.gooqoo.xyz
A 16.162.168.41
16.162.168.41
www.9898svip1.com
CNAME cr15-site-002.cdn-ng.net
A 103.183.154.27
A 103.183.198.31
A 103.183.154.28
103.183.154.27
www.egordizain.ru
A 185.215.4.23
185.215.4.23
IP Address Status Action
103.183.154.28 Active Moloch
16.162.168.41 Active Moloch
164.124.101.2 Active Moloch
185.215.4.23 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 16.162.168.41:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 16.162.168.41:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 16.162.168.41:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 16.162.168.41:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 185.215.4.23:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.215.4.23:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 185.215.4.23:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.183.154.28:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.183.154.28:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 103.183.154.28:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.gooqoo.xyz/lt63/?b6=bZa0pZLrTXAIiuAgQ8fexX2hgRRURr4r4UZ2dVXZUNonR/Eh7Vv/mMrarHhdPIsn72COO6Ar&DbG=_DKdFj
suspicious_features GET method with no useragent header suspicious_request GET http://www.9898svip1.com/lt63/?b6=OPFh7oYmQhOzajxvNJ/O3p9BxmSKvwF4c2d0Ew7Ev5o6kMa7KwaTz78159GjXW9cQ6pClwsY&DbG=_DKdFj
suspicious_features GET method with no useragent header suspicious_request GET http://www.egordizain.ru/lt63/?b6=oQar5JeTzAtryIsva7o6JO+RaAs0kiL1vwF9PA6ChKRV4e3NKW18iRfnRUhU9j4UJj2DPYhI&DbG=_DKdFj
request GET http://www.gooqoo.xyz/lt63/?b6=bZa0pZLrTXAIiuAgQ8fexX2hgRRURr4r4UZ2dVXZUNonR/Eh7Vv/mMrarHhdPIsn72COO6Ar&DbG=_DKdFj
request GET http://www.9898svip1.com/lt63/?b6=OPFh7oYmQhOzajxvNJ/O3p9BxmSKvwF4c2d0Ew7Ev5o6kMa7KwaTz78159GjXW9cQ6pClwsY&DbG=_DKdFj
request GET http://www.egordizain.ru/lt63/?b6=oQar5JeTzAtryIsva7o6JO+RaAs0kiL1vwF9PA6ChKRV4e3NKW18iRfnRUhU9j4UJj2DPYhI&DbG=_DKdFj
domain www.egordizain.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4001792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02340000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00450000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2696
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00910000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\hiwncudjba.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2696
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321456
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000ec
process_identifier: 2696
1 0 0
MicroWorld-eScan Trojan.Garf.Gen.6
FireEye Trojan.Garf.Gen.6
ALYac Trojan.Garf.Gen.6
VIPRE Trojan.Garf.Gen.6
Cybereason malicious.71221d
Arcabit Trojan.Garf.Gen.6 [many]
Cyren W32/Trojan.AIIW-8367
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESKU
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky UDS:Trojan.Win32.Formbook.gen
BitDefender Trojan.Garf.Gen.6
Avast Win32:PWSX-gen [Trj]
Emsisoft Trojan.Garf.Gen.6 (B)
Sophos Generic ML PUA (PUA)
MAX malware (ai score=82)
Microsoft Trojan:Win32/NSISInject.RD!MTB
GData Gen:Variant.Lazy.274607
Google Detected
AhnLab-V3 Trojan/Win.PWSX-gen.R541717
Malwarebytes Trojan.Injector
Rising Trojan.Injector!8.C4 (TFE:5:0XNh6Yk08UQ)
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.ESIU!tr
BitDefenderTheta Gen:NN.ZexaF.36106.iuW@aqT6itei
AVG Win32:PWSX-gen [Trj]