Summary | ZeroBOX

sekontary2.1.exe

Malicious Library UPX Downloader PE32 PE File
Category Machine Started Completed
FILE s1_win7_x6401 March 17, 2023, 9:38 a.m. March 17, 2023, 9:45 a.m.
Size 177.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f2e4e0ba9fc3fe9d2229c31c4a5a40d0
SHA256 84cc7b5b7b1cd8448cf5529f493a6882016e75c85da54baa30e95fe32452f780
CRC32 E2846DC3
ssdeep 3072:WfY/TU9fE9PEtuRbrDbPTMuOqCw5NQhDd3+4/qxvVHY0MLtTtQS0W1KHdqML:AYa6XrDbP6vw5ipvgvVHY0UTSJ9l
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
omerlan.duckdns.org 193.56.29.112
IP Address Status Action
164.124.101.2 Active Moloch
193.56.29.112 Active Moloch

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .ndata
domain omerlan.duckdns.org
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2644
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000046d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\pcspikx.exe
file C:\Users\test22\AppData\Roaming\vfokscxhdmvrb\kgplueaj.exe
file C:\Users\test22\AppData\Local\Temp\pcspikx.exe
file C:\Users\test22\AppData\Local\Temp\pcspikx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sowsclhqavf reg_value C:\Users\test22\AppData\Roaming\vfokscxhdmvrb\kgplueaj.exe "C:\Users\test22\AppData\Local\Temp\pcspikx.exe" C:\Users\test22\AppDa
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2708
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 1995571652
registers.esp: 3996916
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000bc
process_identifier: 2708
1 0 0
dead_host 193.56.29.112:6548
Lionic Trojan.Win32.Agent.tshg
DrWeb Trojan.Loader.1341
MicroWorld-eScan Trojan.GenericKD.65949387
CAT-QuickHeal Trojan.Multi
McAfee Artemis!F2E4E0BA9FC3
Sangfor Infostealer.Win32.Injector.V655
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanPSW:Win32/Stealer.61bd438b
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
BitDefenderTheta Gen:NN.ZexaF.36344.aqW@aOxdQEo
Cyren W32/Downloader-Sml!Eldorado
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESUG
Cynet Malicious (score: 99)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-PSW.Win32.Stealer.gen
BitDefender Trojan.GenericKD.65949387
Avast Win32:PWSX-gen [Trj]
VIPRE Trojan.GenericKD.65949387
TrendMicro TROJ_GEN.R002C0DCF23
McAfee-GW-Edition BehavesLike.Win32.Dropper.cc
FireEye Generic.mg.f2e4e0ba9fc3fe9d
Emsisoft Trojan.GenericKD.65949387 (B)
Webroot W32.Trojan.NSISX.Spy
Avira TR/ATRAPS.Gen
MAX malware (ai score=80)
Antiy-AVL GrayWare/Win32.Wacapew
Gridinsoft Ransom.Win32.Wacatac.sa
Xcitium Malware@#2zwfsv3ypbfr6
Microsoft Trojan:Win32/Tnega.ST!MTB
GData Win32.Trojan.PSE.MC8CC0
Google Detected
AhnLab-V3 Infostealer/Win.Generic.C5395778
VBA32 BScope.Trojan.Loader
ALYac Trojan.PSW.AveMaria
TrendMicro-HouseCall TROJ_GEN.R002H0CCF23
Rising Trojan.Injector!1.E2E1 (CLASSIC)
Ikarus Trojan.Inject
Fortinet W32/Injector.ESTE!tr
AVG Win32:PWSX-gen [Trj]
Panda Trj/CI.A