Summary | ZeroBOX

pankotro3.1.exe

Malicious Packer Malicious Library UPX PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6403_us March 16, 2023, 10:28 a.m. March 16, 2023, 10:38 a.m.
Size 203.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 8c8ee58eacb110d5598f723ecd7e948c
SHA256 92e54cb5fb1d4e2c874f09b5c10a617dc00d845970c094e426683d6989c5a182
CRC32 26477DE0
ssdeep 3072:WfY/TU9fE9PEtuNb246i/iIasUc9dWaYU2WfDRuTDP3KlORQ8TsN543G+RWuWCBg:AYa6724zLasU+6UZfDon/8h8e6WqFY
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
omerlan.duckdns.org 193.56.29.112
IP Address Status Action
164.124.101.2 Active Moloch
193.56.29.112 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
domain omerlan.duckdns.org
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2140
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00782000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2140
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00470000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000006920000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nttjjyrr.exe
file C:\Users\test22\AppData\Roaming\wgpktdyienwsc\lhqmvfbkt.exe
file C:\Users\test22\AppData\Local\Temp\nttjjyrr.exe
file C:\Users\test22\AppData\Local\Temp\nttjjyrr.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oxtdmirbwg reg_value C:\Users\test22\AppData\Roaming\wgpktdyienwsc\lhqmvfbkt.exe "C:\Users\test22\AppData\Local\Temp\nttjjyrr.exe" C:\Users\test22\App
Process injection Process 2140 called NtSetContextThread to modify thread in remote process 2192
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 2005598660
registers.esp: 3538208
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f8
process_identifier: 2192
1 0 0
dead_host 193.56.29.112:6548
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.8c8ee58eacb110d5
ALYac Gen:Variant.Babar.172047
Sangfor Trojan.Win32.Injector.V6yk
CrowdStrike win/malicious_confidence_100% (D)
Alibaba Trojan:Win32/Injector.e8f0e636
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZexaCO.36344.dqW@ayJcgIe
Cyren W32/Injector.SZDO-0098
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.ESUJ
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.Win32.Stealer.gen
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:InjectorX-gen [Trj]
Rising Trojan.Generic@AI.87 (RDML:BlpMf0/pa79IWI8d/dofCA)
DrWeb Trojan.Loader.1342
VIPRE Trojan.NSISX.Spy.Gen.24
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
Ikarus Trojan.Inject
Webroot W32.Injector.Gen
Microsoft TrojanSpy:Win32/AveMaria.STB
ViRobot Trojan.Win.Z.Spy.207921
GData Win32.Backdoor.AMRat.8YBFKU
Google Detected
McAfee Artemis!8C8EE58EACB1
MAX malware (ai score=84)
TrendMicro-HouseCall TROJ_GEN.R002H0DCF23
Fortinet W32/Injector.ESTE!tr
AVG Win32:InjectorX-gen [Trj]
Panda Trj/GdSda.A