popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

alakim.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 20, 2022, 2:02 p.m. Dec. 20, 2022, 2:05 p.m.
Size 236.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 aabb09c3690d466afdfbbaeb791a8bc8
SHA256 44bf46793f182055af9af6112cfd1236073c6ab0c879d0cffb49154e5c1c85dd
CRC32 14E794FB
ssdeep 6144:FkwvQpUiezSv/iMQYDfyZepKpDLd8vG3be2x:EpReuiojyZTLd8Grfx
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.247repairs.info
www.hijrahfwd.com
A 2.57.90.16
CNAME hijrahfwd.com
2.57.90.16
www.rio727casino.com
IP Address Status Action
164.124.101.2 Active Moloch
2.57.90.16 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 2.57.90.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 2.57.90.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 2.57.90.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.hijrahfwd.com/8rmt/?GVoxs=aO6o73ml0LOUhLgaY0qggU8a8dAyqmwgtzDB+vBDlWO/5GdJLRYMNvwevV6n/QAmN+rOPz0V&5jr=UlSp
request GET http://www.hijrahfwd.com/8rmt/?GVoxs=aO6o73ml0LOUhLgaY0qggU8a8dAyqmwgtzDB+vBDlWO/5GdJLRYMNvwevV6n/QAmN+rOPz0V&5jr=UlSp
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2128
region_size: 4001792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02050000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2128
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00500000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2196
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\vjvzoxsg.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2128 called NtSetContextThread to modify thread in remote process 2196
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321408
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000ec
process_identifier: 2196
1 0 0
Lionic Trojan.Win32.FormBook.4!c
MicroWorld-eScan Trojan.Garf.Gen.7
FireEye Trojan.Garf.Gen.7
ALYac Trojan.Garf.Gen.7
Cylance Unsafe
Arcabit Trojan.Garf.Gen.7
BitDefenderTheta Gen:NN.ZexaF.36158.emW@auTHjzd
Elastic malicious (high confidence)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Garf.Gen.7
Avast FileRepMalware [Pws]
Emsisoft Trojan.Garf.Gen.7 (B)
VIPRE Trojan.Garf.Gen.7
McAfee-GW-Edition Artemis!Trojan
Sophos Generic PUA BC (PUA)
Google Detected
MAX malware (ai score=83)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Lokibot.SIS!MTB
GData Trojan.Garf.Gen.7
Cynet Malicious (score: 100)
McAfee Artemis!AABB09C3690D
Rising Trojan.FormBook!8.F858 (CLOUD)
Ikarus Trojan.NSIS.Agent
Fortinet W32/Injector.ESFO!tr
AVG FileRepMalware [Pws]