popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dcrossc.exe

NSIS UPX Malicious Library Malicious Packer PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 22, 2023, 8:43 a.m. April 22, 2023, 8:45 a.m.
Size 168.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 fcb1534a561fc1fe2954c00899e2815f
SHA256 da2e5977867a2f47a9b60eb9ffcd29cb8a20a9dbcf474b0c27ffee004748ecbb
CRC32 5E4DD94A
ssdeep 3072:HfY/TU9fE9PEtu6WbmIu44Z/UumD1xuDi44AjGj4oAEyZxqe07M/p0j1zPE/O:/Ya65mI1um5xuDzJmAEgxqe07Q0FPb
Yara
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
avarian717.duckdns.org
A 193.56.29.183
193.56.29.183
IP Address Status Action
164.124.101.2 Active Moloch
193.56.29.183 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
domain avarian717.duckdns.org
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d50000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000004d20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ajulw.exe
file C:\Users\test22\AppData\Roaming\nwglhqavfo\ktpxhdmv.exe
file C:\Users\test22\AppData\Local\Temp\ajulw.exe
file C:\Users\test22\AppData\Local\Temp\ajulw.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\rbwgplueajf reg_value C:\Users\test22\AppData\Roaming\nwglhqavfo\ktpxhdmv.exe "C:\Users\test22\AppData\Local\Temp\ajulw.exe" C:\Users\test22\AppData\Lo
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x004074c0
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 131541 0
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 2112
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4216632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000dc
process_identifier: 2112
1 0 0
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.24
FireEye Generic.mg.fcb1534a561fc1fe
McAfee Artemis!FCB1534A561F
Malwarebytes Generic.Malware/Suspicious
VIPRE Trojan.NSISX.Spy.Gen.24
Alibaba Ransom:Win32/GandCrypt.884
CrowdStrike win/malicious_confidence_100% (W)
Symantec Packed.NSISPacker!g14
ESET-NOD32 a variant of Win32/Injector.ESWW
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 99)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.24
Avast Win32:PWSX-gen [Trj]
Emsisoft Trojan.NSISX.Spy.Gen.24 (B)
McAfee-GW-Edition BehavesLike.Win32.Worm.cc
Trapmine malicious.moderate.ml.score
Sophos Mal/Generic-S
Ikarus Trojan.Inject
Webroot W32.Trojan.NSISX.Spy
Avira TR/AD.GenShell.xofbd
Arcabit Trojan.NSISX.Spy.Gen.24 [many]
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.NSISX.Spy.Gen.24 (2x)
Google Detected
AhnLab-V3 Infostealer/Win.Generic.R563828
ALYac Trojan.NSISX.Spy.Gen.24
MAX malware (ai score=80)
Cylance unsafe
Rising Trojan.VecStealer!8.180E7 (CLOUD)
Fortinet W32/Injector.ESWS!tr
BitDefenderTheta Gen:NN.ZexaE.36164.cqW@aiCWzhbi
AVG Win32:PWSX-gen [Trj]
DeepInstinct MALICIOUS