popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

joe.exe

Malicious Library UPX PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 19, 2023, 5:47 p.m. April 19, 2023, 5:50 p.m.
Size 367.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 724ad0f724d2aba12940a1eeeede2980
SHA256 8d108254a8f52c795d01e4fa87ac70437873d1073e38c179716e5fa40816b82f
CRC32 D8B2708F
ssdeep 6144:7Ya6E9UJPbOrLRGNr8dPXw+kaBBIHtDhA7XbX5PGwhwtWT732fz0YThqHVTH6HuX:7Yq9UJzOa8w+kImHPm1LT73270FHHM78
Yara
  • UPX_Zero - UPX packed file
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 198.54.117.211:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 198.54.117.211:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 198.54.117.211:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.worsall.com/htqs/?Wz=eTBOdLg8O8WfPsi/aMZVIrp4p0K8YKCelaR89QpKBJlnv2Ndq6qGVsr5f6/0LBJihsjVfF3N&vB=chrxU
suspicious_features GET method with no useragent header suspicious_request GET http://www.barefootrestaurantil.com/htqs/?Wz=ICAmXkpg8yDUPQRUvyQOYOmftFyS4aTUj531dBtgwJBSVqZ9sI20XgQnE7PS7zFEssN/PDGq&vB=chrxU
suspicious_features GET method with no useragent header suspicious_request GET http://www.creativeavenueinc.com/htqs/?Wz=ffnFIYSrRTpd7MPzyCwe2L1JbBI6t6tjdC5GdL2BJumhS+yYJbcINhXRfRXQoojP5e7kf28Y&vB=chrxU
request GET http://www.worsall.com/htqs/?Wz=eTBOdLg8O8WfPsi/aMZVIrp4p0K8YKCelaR89QpKBJlnv2Ndq6qGVsr5f6/0LBJihsjVfF3N&vB=chrxU
request GET http://www.barefootrestaurantil.com/htqs/?Wz=ICAmXkpg8yDUPQRUvyQOYOmftFyS4aTUj531dBtgwJBSVqZ9sI20XgQnE7PS7zFEssN/PDGq&vB=chrxU
request GET http://www.creativeavenueinc.com/htqs/?Wz=ffnFIYSrRTpd7MPzyCwe2L1JbBI6t6tjdC5GdL2BJumhS+yYJbcINhXRfRXQoojP5e7kf28Y&vB=chrxU
domain www.sbratchik.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00490000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2700
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00910000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\wmweglq.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2644 called NtSetContextThread to modify thread in remote process 2700
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321568
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f4
process_identifier: 2700
1 0 0
MicroWorld-eScan Trojan.Garf.Gen.7
FireEye Generic.mg.724ad0f724d2aba1
ALYac Trojan.NSISX.Spy.Gen.24
CrowdStrike win/malicious_confidence_100% (D)
Arcabit Trojan.Garf.Gen.7 [many]
Symantec Packed.NSISPacker!g14
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.Garf.Gen.7
NANO-Antivirus Riskware.Nsis.Adw.dqabkg
Emsisoft Trojan.Garf.Gen.7 (B)
VIPRE Trojan.Garf.Gen.7
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine suspicious.low.ml.score
Sophos Generic ML PUA (PUA)
SentinelOne Static AI - Suspicious PE
Microsoft Trojan:Win32/Formbook!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.NSISX.Spy.Gen.24
Google Detected
AhnLab-V3 Trojan/Win.NSISInject.R496549
MAX malware (ai score=84)
VBA32 BScope.Trojan.Wacatac
Ikarus Trojan-Spy.FormBook
Fortinet W32/Injector.ESWG!tr
DeepInstinct MALICIOUS