popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

roc51.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Feb. 12, 2023, 2:52 p.m. Feb. 12, 2023, 3:11 p.m.
Size 296.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 1d920aa56457a163c9ede013081ae820
SHA256 3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995
CRC32 4E01A2E7
ssdeep 6144:/Ya60IJrcLmPyG1twMNr1GX1Iius7CCeEhMNUPLegtfSdtyQ:/YaIeOyG/slB7CCPQULid0Q
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.eleonorasdaycare.com
A 154.209.142.100
154.209.142.100
www.microshel.com
CNAME microshel.com
A 34.102.136.180
34.102.136.180
www.aq993.cyou
www.detoxshopbr.store
CNAME shops.myshopify.com
A 23.227.38.74
23.227.38.74
IP Address Status Action
154.209.142.100 Active Moloch
164.124.101.2 Active Moloch
23.227.38.74 Active Moloch
34.102.136.180 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49169 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 23.227.38.74:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.209.142.100:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.209.142.100:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 154.209.142.100:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.eleonorasdaycare.com/re29/?u6u4=iZ4D9MfQzkLMiVC19Sx2I5zdLa7VmU5sDnt6/xeT1G1WjM9KfvNu0TUCkvScjOTSuzsJDmh5&9rQl7P=xPJpLXiX
suspicious_features GET method with no useragent header suspicious_request GET http://www.microshel.com/re29/?u6u4=trfuaJRD6A/eesv4M6SXrE7j8J9Y8vN4m/WyH3ernOja7pMfzOf3bi/QkcHzhOFYePR8sA9G&9rQl7P=xPJpLXiX
suspicious_features GET method with no useragent header suspicious_request GET http://www.detoxshopbr.store/re29/?u6u4=aQt7vukWYUzx+oCCTqo8HxJeOTyNng86cco+4+q4ypewOOMVBrQ/M97kQTWlSCj26KyEdjaM&9rQl7P=xPJpLXiX
request GET http://www.eleonorasdaycare.com/re29/?u6u4=iZ4D9MfQzkLMiVC19Sx2I5zdLa7VmU5sDnt6/xeT1G1WjM9KfvNu0TUCkvScjOTSuzsJDmh5&9rQl7P=xPJpLXiX
request GET http://www.microshel.com/re29/?u6u4=trfuaJRD6A/eesv4M6SXrE7j8J9Y8vN4m/WyH3ernOja7pMfzOf3bi/QkcHzhOFYePR8sA9G&9rQl7P=xPJpLXiX
request GET http://www.detoxshopbr.store/re29/?u6u4=aQt7vukWYUzx+oCCTqo8HxJeOTyNng86cco+4+q4ypewOOMVBrQ/M97kQTWlSCj26KyEdjaM&9rQl7P=xPJpLXiX
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00930000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\hpsfqj.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2116 called NtSetContextThread to modify thread in remote process 2220
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2881780
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f0
process_identifier: 2220
1 0 0
Bkav W32.AIDetectNet.01
MicroWorld-eScan Gen:Variant.Nemesis.15914
FireEye Generic.mg.1d920aa56457a163
ALYac Gen:Variant.Jaik.95172
VIPRE Gen:Variant.Nemesis.15914
Sangfor Suspicious.Win32.Save.ins
Cybereason malicious.f1341a
Arcabit Trojan.Nemesis.D3E2A [many]
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESQZ
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky VHO:Trojan-Spy.Win32.Noon.gen
BitDefender Gen:Variant.Nemesis.15914
Avast Win32:PWSX-gen [Trj]
Emsisoft Gen:Variant.Nemesis.15914 (B)
McAfee-GW-Edition BehavesLike.Win32.ICLoader.dc
Trapmine malicious.moderate.ml.score
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
MAX malware (ai score=82)
Microsoft Trojan:Win32/Formbook!MTB
GData Gen:Variant.Jaik.95172
Google Detected
Acronis suspicious
McAfee Artemis!1D920AA56457
Rising Trojan.Injector!8.C4 (RDMK:cmRtazpbFIJpGF141RAt9u7HcmhB)
Ikarus Trojan.Inject
Fortinet W32/Injector_AGen.QG!tr
BitDefenderTheta Gen:NN.ZexaF.36276.hqW@aqdPvF
AVG Win32:PWSX-gen [Trj]