popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

monnn.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 14, 2023, 10:34 a.m. March 14, 2023, 10:44 a.m.
Size 276.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 bd7da39a826d40d755a686cfa5acb2c8
SHA256 9d4378cdf74af431b0ac0afc6f5341f896dcb5fba9ccc937deb50a4539aa712b
CRC32 F2E316CB
ssdeep 6144:PYa672hu27PgMGzwrNZqeSUxTlbhjLFQZXgiVhf:PYJ2M275G8W3UXzSrff
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
www.deltadentaa.com
A 192.187.111.220
81.17.29.149
www.uizgxh.shop
A 196.196.25.32
196.196.25.32
www.rifleroofers.com
CNAME rifleroofers.com
A 67.222.24.48
67.222.24.48
www.sqlite.org
A 45.33.6.223
45.33.6.223
www.g5.beauty
A 103.193.175.86
103.193.175.86
IP Address Status Action
103.193.175.86 Active Moloch
164.124.101.2 Active Moloch
192.187.111.220 Active Moloch
196.196.25.32 Active Moloch
45.33.6.223 Active Moloch
67.222.24.48 Active Moloch
87.251.77.205 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49173 -> 192.187.111.220:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 67.222.24.48:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.uizgxh.shop/sz08/?XBv=6rXopwspFovGjlVMzSUpZgUVNOQxlKRBVqd7ZkwKlqJcn2nrpUHludUfyuXUVPqNuMJeiUXQRard/UMEctGFawtZHYQa0TbBNuV+Fz0=&_dWT=Yt1VAXRI1OIjuKn-
suspicious_features GET method with no useragent header suspicious_request GET http://www.rifleroofers.com/sz08/?XBv=Zclp6qOkk6suDwk8LcZFqtM/lspnNbrWW/mAgrca59pL6xO7GaHALAXFne5vnIOo19zUuK72PVyLaF7oIObUpGuGlVs+Ev2qgmxI6XA=&_dWT=Yt1VAXRI1OIjuKn-
request GET http://www.uizgxh.shop/sz08/?XBv=6rXopwspFovGjlVMzSUpZgUVNOQxlKRBVqd7ZkwKlqJcn2nrpUHludUfyuXUVPqNuMJeiUXQRard/UMEctGFawtZHYQa0TbBNuV+Fz0=&_dWT=Yt1VAXRI1OIjuKn-
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
request POST http://www.rifleroofers.com/sz08/
request GET http://www.rifleroofers.com/sz08/?XBv=Zclp6qOkk6suDwk8LcZFqtM/lspnNbrWW/mAgrca59pL6xO7GaHALAXFne5vnIOo19zUuK72PVyLaF7oIObUpGuGlVs+Ev2qgmxI6XA=&_dWT=Yt1VAXRI1OIjuKn-
request POST http://www.deltadentaa.com/sz08/
request POST http://www.rifleroofers.com/sz08/
request POST http://www.deltadentaa.com/sz08/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00572000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00940000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ezupg.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 87.251.77.205
Process injection Process 2156 called NtSetContextThread to modify thread in remote process 2200
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1833260
registers.edi: 0
registers.eax: 4199136
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000b8
process_identifier: 2200
1 0 0
dead_host 103.193.175.86:80
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
McAfee Artemis!BD7DA39A826D
VIPRE Trojan.NSISX.Spy.Gen.24
Sangfor Suspicious.Win32.Save.ins
BitDefender Trojan.NSISX.Spy.Gen.24
CrowdStrike win/malicious_confidence_100% (D)
Cyren W32/Injector.BKO.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.ESUA
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Alibaba Trojan:Win32/Injector.57ccb063
Avast FileRepMalware [Misc]
DrWeb Trojan.Loader.1339
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.bd7da39a826d40d7
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
GData Gen:Variant.Zusy.452601
Webroot W32.Malware.Gen
Avira HEUR/AGEN.1242497
MAX malware (ai score=80)
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
Microsoft Trojan:Win32/Casdet!rfn
Google Detected
AhnLab-V3 Trojan/Win.NSISInject.R561060
BitDefenderTheta Gen:NN.ZexaF.36344.dqW@aWM!Eyj
ALYac Gen:Variant.Zusy.452601
TrendMicro-HouseCall TROJ_GEN.R002H06CD23
Rising Trojan.Injector!1.E2E1 (CLASSIC)
Ikarus Trojan-Spy.FormBook
Fortinet W32/Injector.ESTE!tr
AVG FileRepMalware [Misc]