popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

RV1-INV-2023090.exe

NSIS UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 30, 2023, 4:30 p.m. May 30, 2023, 4:32 p.m.
Size 146.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 e7eca1999e37695727ae022c0bc65d18
SHA256 6f659ce1e027a53c0e98f386f6da6ad4d66b09ac1a34ca5440a8b25ad5bc53af
CRC32 E793BC05
ssdeep 3072:HfY/TU9fE9PEtutbm2Eau5FlsYXA+VkjkCM7UuQS1hRPWTxK:/Ya6D9i3nekCMIQnRuTxK
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
185.246.220.60 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49164 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49164 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 185.246.220.60:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49167 -> 185.246.220.60:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49164 -> 185.246.220.60:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49164 -> 185.246.220.60:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.246.220.60:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49166 -> 185.246.220.60:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.102:49167 -> 185.246.220.60:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 185.246.220.60:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
rv1-inv-2023090+0x12fdd @ 0x412fdd
rv1-inv-2023090+0x1296e @ 0x41296e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: 8a 0a 88 0c 17 42 4e 75 f7 5f 5e 5d c3 55 8b ec
exception.symbol: rv1-inv-2023090+0x2b41
exception.instruction: mov cl, byte ptr [edx]
exception.module: RV1-INV-2023090.exe
exception.exception_code: 0xc0000005
exception.offset: 11073
exception.address: 0x402b41
registers.esp: 43253556
registers.edi: 39575271
registers.eax: 45875232
registers.ebp: 43253564
registers.edx: 6508544
registers.ebx: 45875232
registers.esi: 221986214
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header, HTTP version 1.0 used, Connection to IP address suspicious_request POST http://185.246.220.60/project/five/fre.php
request POST http://185.246.220.60/project/five/fre.php
request POST http://185.246.220.60/project/five/fre.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03120000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03130000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2227362
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2227362
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
file C:\Users\test22\AppData\Roaming\Opera\Opera Next\data\Login Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Chromium\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
file C:\Users\test22\AppData\LocalMapleStudio\ChromePlus\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Nichrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\RockMelt\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\nsr2799.tmp\fufly.dll
file C:\Users\test22\AppData\Local\Temp\nsr2799.tmp\fufly.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 185.246.220.60
file C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
file C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\wcx_ftp.ini
file C:\Windows\wcx_ftp.ini
file C:\Users\test22\wcx_ftp.ini
file C:\Windows\32BitFtp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Program Files (x86)\FileZilla\Filezilla.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\filezilla.xml
registry HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
registry HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
registry HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
registry HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
registry HKEY_CURRENT_USER\Software\Martin Prikryl
registry HKEY_LOCAL_MACHINE\Software\Martin Prikryl
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\78.4.0 (ko)\Main
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Process injection Process 3032 called NtSetContextThread to modify thread in remote process 2216
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2001207748
registers.esp: 1638384
registers.edi: 0
registers.eax: 4274654
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000220
process_identifier: 2216
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
DrWeb Trojan.PWS.Siggen3.29732
Cynet Malicious (score: 100)
McAfee RDN/Generic PWS.y
Malwarebytes Trojan.Injector.NSIS
VIPRE Trojan.GenericKD.66952984
Sangfor Infostealer.Win32.Loader.Vq8v
K7AntiVirus Riskware ( 00584baa1 )
Alibaba Trojan:Win32/Loader.a1ff8ffc
K7GW Riskware ( 00584baa1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D3FD9F18
BitDefenderTheta Gen:NN.ZedlaF.36196.aq4@aG87cSp
Cyren W32/Injector.ALX.gen!Eldorado
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ESXX
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Loader.gen
BitDefender Trojan.GenericKD.66952984
MicroWorld-eScan Trojan.GenericKD.66952984
Avast Win32:PWSX-gen [Trj]
Tencent Win32.Trojan.Loader.Gkjl
Emsisoft Trojan.GenericKD.66952984 (B)
F-Secure Heuristic.HEUR/AGEN.1300644
TrendMicro TROJ_GEN.R002C0DE923
McAfee-GW-Edition BehavesLike.Win32.Generic.cc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.e7eca1999e376957
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Webroot W32.Trojan.GenKD
Avira HEUR/AGEN.1300644
MAX malware (ai score=100)
Xcitium Malware@#3va22cgr427kx
Microsoft PWS:Win32/Fareit.MS!MTB
ZoneAlarm HEUR:Backdoor.Win32.Androm.gen
GData Trojan.GenericKD.66952984
AhnLab-V3 Malware/Win.Generic.C4960456
Acronis suspicious
VBA32 Trojan.LokiBot
ALYac Trojan.GenericKD.66952984
Cylance unsafe
Panda Trj/CI.A
TrendMicro-HouseCall TROJ_GEN.F0D1C00E923
Rising Trojan.Formbook!8.F858 (TFE:5:UwcepuvgGTO)
Yandex Trojan.Igent.bZ6wkh.4
Ikarus Trojan-Spy.FormBook
Fortinet W32/Injector.WK!tr