popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

festkon2.1.exe

NSIS UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 24, 2023, 1:22 p.m. June 24, 2023, 1:24 p.m.
Size 335.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f14a6c2f0c53470577f1e3a66e34fe64
SHA256 c299e76637951c9dbe6d4e5eed327228c70a186c9c37958b3bb756add59419f9
CRC32 4355584A
ssdeep 6144:PYa65rGSvu7AzoMHAyjMa+4MS5l/Lr18/azj3MQhoLUUPMG1sBC+0SaXE:PYTnu8zo0Aywa+m5lbj8QiL2G1a/N
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.getflooringservices.today
A 172.67.183.64
A 104.21.48.94
172.67.183.64
www.alltiett.net
CNAME alltiett.net
A 81.169.145.70
81.169.145.70
www.usdrub.com
A 13.248.169.48
A 76.223.54.146
13.248.169.48
www.capitalrepros.com
IP Address Status Action
104.21.48.94 Active Moloch
13.248.169.48 Active Moloch
164.124.101.2 Active Moloch
81.169.145.70 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 81.169.145.70:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 81.169.145.70:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 13.248.169.48:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 81.169.145.70:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 13.248.169.48:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 104.21.48.94:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 13.248.169.48:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 104.21.48.94:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 104.21.48.94:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.getflooringservices.today/k2l0/?RP=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&rXLpvR=P0D4a24
suspicious_features GET method with no useragent header suspicious_request GET http://www.alltiett.net/k2l0/?RP=CLWhMEEH+TKpZCs82dDMH40MtEeqU8fVsX2BTRkbuaHTGaAdqzqBoXZ1eBBCJkRM4luJ5zo3&rXLpvR=P0D4a24
suspicious_features GET method with no useragent header suspicious_request GET http://www.usdrub.com/k2l0/?RP=R+iha7GQYIR128qb/ePPYcj+8Pay4Nrp+ciVv5jeZEPMbb+7/2J83xwbNHNe0GBur2Js8QJC&rXLpvR=P0D4a24
request GET http://www.getflooringservices.today/k2l0/?RP=FvRqhx5F0gpoyzkzEA/2xbKvy1jG9ib4vK3RJ9Rey27fu6ve9bbhEuDygjhGMwuuWgCzAHD/&rXLpvR=P0D4a24
request GET http://www.alltiett.net/k2l0/?RP=CLWhMEEH+TKpZCs82dDMH40MtEeqU8fVsX2BTRkbuaHTGaAdqzqBoXZ1eBBCJkRM4luJ5zo3&rXLpvR=P0D4a24
request GET http://www.usdrub.com/k2l0/?RP=R+iha7GQYIR128qb/ePPYcj+8Pay4Nrp+ciVv5jeZEPMbb+7/2J83xwbNHNe0GBur2Js8QJC&rXLpvR=P0D4a24
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d62000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03370000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b70000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nssEDDC.tmp\wiryca.dll
file C:\Users\test22\AppData\Local\Temp\nssEDDC.tmp\wiryca.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2548 called NtSetContextThread to modify thread in remote process 2648
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321488
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000240
process_identifier: 2648
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Nemesis.22779
McAfee Artemis!F14A6C2F0C53
Malwarebytes Generic.Malware/Suspicious
VIPRE Gen:Variant.Nemesis.22779
Sangfor Trojan.Win32.Strab.Voej
Alibaba Trojan:Win32/Strab.737fdcdb
Cybereason malicious.f0c534
Arcabit Trojan.Nemesis.D58FB [many]
VirIT Trojan.Win32.Genus.RNP
Cyren W32/Ninjector.IU.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETBL
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.Win32.Strab.gen
BitDefender Gen:Variant.Nemesis.22779
Avast Win32:TrojanX-gen [Trj]
Emsisoft Gen:Variant.Nemesis.22779 (B)
TrendMicro TROJ_GEN.R002C0DFN23
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Trapmine malicious.high.ml.score
FireEye Generic.mg.f14a6c2f0c534705
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Avira TR/AD.Swotter.frnbu
MAX malware (ai score=88)
Gridinsoft Trojan.Win32.FormBook.bot
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm HEUR:Trojan.Win32.Strab.gen
GData Zum.Androm.1
Google Detected
AhnLab-V3 Infostealer/Win.Generic.R563828
BitDefenderTheta Gen:NN.ZedlaF.36270.pu4@aGzlSkai
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall TROJ_GEN.R002H0DFN23
Rising Trojan.Generic@AI.97 (RDML:lkLW0GCnIjN8PNXtjTbNDA)
Ikarus Trojan-Spy.FormBook
MaxSecure Trojan.Malware.121218.susgen
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:TrojanX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)