popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

macol.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Dec. 14, 2022, 9:36 a.m. Dec. 14, 2022, 9:38 a.m.
Size 432.8KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 b89438b8ad038b570457bc1bb4e80a73
SHA256 548fb330ffeb62ab1fd674a557606885338344c8cc807e2a3f9c64e475bdf2c0
CRC32 17AEA861
ssdeep 6144:ukwkDeTURwgORE8KxO8c1QWXa7RLvL/BAEhg2+6Ha/V:PD8owgORE8KxBWsRXaEhxa/V
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.donqu3.sexy
www.ekeisolutions.com
CNAME ekeisolutions.com
A 34.102.136.180
34.102.136.180
www.12443.football
A 137.220.219.45
137.220.219.45
www.evri-deiivery.com
IP Address Status Action
137.220.219.45 Active Moloch
164.124.101.2 Active Moloch
34.102.136.180 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49170 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.ekeisolutions.com/lt63/?rV0DUb=rO++nkaP2FPEwmJgqn2nHj6RTVYDleKveBQZKZb7Q5J0kfEoS7pBhR4kauMJohOdCCenBJMV&LvyX=oPqLWR
request GET http://www.ekeisolutions.com/lt63/?rV0DUb=rO++nkaP2FPEwmJgqn2nHj6RTVYDleKveBQZKZb7Q5J0kfEoS7pBhR4kauMJohOdCCenBJMV&LvyX=oPqLWR
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4001792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02190000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00430000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2700
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\avhga.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2700
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321456
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000010c
process_identifier: 2700
1 0 0
dead_host 137.220.219.45:80
Lionic Trojan.Win32.Formbook.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Jaik.77520
FireEye Gen:Variant.Jaik.77520
McAfee Artemis!B89438B8AD03
Cylance Unsafe
Sangfor Trojan.Win32.Agent.A3dn
CrowdStrike win/malicious_confidence_90% (D)
Arcabit Trojan.Jaik.D12ED0
Cyren W32/Injector.BHD.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ESLB
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:Trojan.Win32.Formbook.gen
BitDefender Gen:Variant.Jaik.77520
Avast FileRepMalware [Trj]
Ad-Aware Gen:Variant.Jaik.77520
Emsisoft Gen:Variant.Jaik.77520 (B)
VIPRE Gen:Variant.Jaik.77520
McAfee-GW-Edition BehavesLike.Win32.Generic.gh
Sophos Mal/Generic-S
Avira HEUR/AGEN.1237753
MAX malware (ai score=81)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Formbook.AT!MTB
GData Gen:Variant.Jaik.77520
Google Detected
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36106.dqW@aeKhzRhi
ALYac Gen:Variant.Jaik.77520
Rising Trojan.Injector!8.C4 (CLOUD)
Fortinet W32/Injector.ESFO!tr
AVG FileRepMalware [Trj]