popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

bokledge4.1.exe

UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 16, 2023, 10:23 a.m. Feb. 16, 2023, 10:32 a.m.
Size 292.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 500ce28cca98df7f3d40fa8f5e428598
SHA256 dc2766f4f8bd2b9b0a2b8fb18426735755ba12ac8e080be1107363305f4c5f5b
CRC32 0D0A0855
ssdeep 6144:vYa67vB1oNb15mb3SfCt/CE76CQ1vGNJxtkxKKSZvyvB9dSuMwviPnMx5I:vYBvB1Wp8b307NruJnkxqWj4uMVPn/
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
www.123findcapital.com
CNAME 123findcapital.com
A 15.197.142.173
A 3.33.152.147
3.33.152.147
www.dccmovil.com
CNAME dccmovil.com
A 34.102.136.180
34.102.136.180
www.jcw-media.com
A 66.96.162.140
66.96.162.140
IP Address Status Action
164.124.101.2 Active Moloch
3.33.152.147 Active Moloch
34.102.136.180 Active Moloch
66.96.162.140 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 3.33.152.147:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 3.33.152.147:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 3.33.152.147:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 66.96.162.140:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 66.96.162.140:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 66.96.162.140:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.dccmovil.com/b07o/?r0=o6HXEdJl6/VPp8rWf7jQRIH4rS2B7wZBnAS41Nk2ga+LVrdEWYkuzCknyBgzWY5EcE0I5NHB&sZODHD=8pH8P6V
suspicious_features GET method with no useragent header suspicious_request GET http://www.jcw-media.com/b07o/?r0=jaJOBLEmd5yxE98n7CSjpxqJgVtnhHa3aCWCYIkttjtkv6GZ+uhp6dkAW9oK9ZGeuV/IrL/Z&sZODHD=8pH8P6V
suspicious_features GET method with no useragent header suspicious_request GET http://www.123findcapital.com/b07o/?r0=BQnnnzHQBKzmuzWUc1NmCI/zEoVgbKldG3lEFhDIxtN9pUoBFrHG6JYkbinJNYhAMboRWfOr&sZODHD=8pH8P6V
request GET http://www.dccmovil.com/b07o/?r0=o6HXEdJl6/VPp8rWf7jQRIH4rS2B7wZBnAS41Nk2ga+LVrdEWYkuzCknyBgzWY5EcE0I5NHB&sZODHD=8pH8P6V
request GET http://www.jcw-media.com/b07o/?r0=jaJOBLEmd5yxE98n7CSjpxqJgVtnhHa3aCWCYIkttjtkv6GZ+uhp6dkAW9oK9ZGeuV/IrL/Z&sZODHD=8pH8P6V
request GET http://www.123findcapital.com/b07o/?r0=BQnnnzHQBKzmuzWUc1NmCI/zEoVgbKldG3lEFhDIxtN9pUoBFrHG6JYkbinJNYhAMboRWfOr&sZODHD=8pH8P6V
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00840000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2688
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\fmgwqo.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2632 called NtSetContextThread to modify thread in remote process 2688
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3800584
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000bc
process_identifier: 2688
1 0 0
Lionic Trojan.Win32.Generic.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Garf.Gen.7
FireEye Generic.mg.500ce28cca98df7f
McAfee Artemis!500CE28CCA98
Malwarebytes Generic.Malware/Suspicious
VIPRE Trojan.Garf.Gen.7
Arcabit Trojan.Garf.Gen.7 [many]
Symantec Packed.NSISPacker!g14
ESET-NOD32 Win32/Formbook.AA
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Garf.Gen.7
Avast Win32:Malware-gen
Emsisoft Trojan.Garf.Gen.7 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.Garf.Gen
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.NSISX.Spy.Gen.24
Google Detected
ALYac Trojan.NSISX.Spy.Gen.24
MAX malware (ai score=82)
Cylance Unsafe
Rising Trojan.Generic@AI.98 (RDML:bpPM4xjcMXQG3e2ry6nuQg)
Ikarus Trojan.Inject
Fortinet W32/Injector.NSAY!tr
AVG Win32:Malware-gen
CrowdStrike win/malicious_confidence_100% (W)