popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

agodzx.exe

NSIS UPX Malicious Library PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 27, 2023, 7:51 p.m. June 27, 2023, 7:54 p.m.
Size 239.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 8001fc3355e347ebeb82daf3170e884e
SHA256 ddcfb1ba424e8b10bc83301942845f50a4e5ada39250ba706a9ecbc7ee9e63e3
CRC32 3DB5A3FC
ssdeep 3072:HfY/TU9fE9PEtuMbMDLzhZnItT0oQ/Uaz2Tc+D5whNWoW9lPNn644T2fU36/c1+G:/Ya64MzhVI+h9S4Da9lsK8N+u4uL
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
www.kaka225.click
www.brachyurus.com
A 76.76.21.9
CNAME cname.vercel-dns.com
A 76.76.21.164
76.76.21.61
www.au-t-global.com
CNAME au-t-global.com
A 82.180.138.100
82.180.138.100
www.acmanu-us.site
A 64.190.62.22
64.190.62.22
IP Address Status Action
164.124.101.2 Active Moloch
64.190.62.22 Active Moloch
76.76.21.9 Active Moloch
82.180.138.100 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 76.76.21.9:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 76.76.21.9:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49167 -> 76.76.21.9:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 82.180.138.100:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 82.180.138.100:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 82.180.138.100:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 64.190.62.22:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 64.190.62.22:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 64.190.62.22:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.acmanu-us.site/m42i/?p0G=M8nVTT0r1hADsDyVwfleHwIj0ZqP2E1IoBumjKzXRRezluCu1rC2Qj6VNg+s3TrRfpLzDtWa&uFNl=XP7LsfJx
suspicious_features GET method with no useragent header suspicious_request GET http://www.au-t-global.com/m42i/?p0G=N8+KveqynWjjsBQWfyAOVZVM5YmcO/FUxw7ndn9VCxpksnP1cJpjXRLM5l+ZvE4aHsqWuB9n&uFNl=XP7LsfJx
suspicious_features GET method with no useragent header suspicious_request GET http://www.brachyurus.com/m42i/?p0G=gFSPJhCHyHfvj3/OTQ/N209MWCE0ruxWwMKG8/dS7LL4Ng9TPUITJ3jANBDXY8KW/0SAdxND&uFNl=XP7LsfJx
request GET http://www.acmanu-us.site/m42i/?p0G=M8nVTT0r1hADsDyVwfleHwIj0ZqP2E1IoBumjKzXRRezluCu1rC2Qj6VNg+s3TrRfpLzDtWa&uFNl=XP7LsfJx
request GET http://www.au-t-global.com/m42i/?p0G=N8+KveqynWjjsBQWfyAOVZVM5YmcO/FUxw7ndn9VCxpksnP1cJpjXRLM5l+ZvE4aHsqWuB9n&uFNl=XP7LsfJx
request GET http://www.brachyurus.com/m42i/?p0G=gFSPJhCHyHfvj3/OTQ/N209MWCE0ruxWwMKG8/dS7LL4Ng9TPUITJ3jANBDXY8KW/0SAdxND&uFNl=XP7LsfJx
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03410000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nstEFEF.tmp\ecdkpffhq.dll
file C:\Users\test22\AppData\Roaming\scllhqqyuuea\ajss.exe
file C:\Users\test22\AppData\Roaming\scllhqqyuuea\ajss.exe
file C:\Users\test22\AppData\Local\Temp\nstEFEF.tmp\ecdkpffhq.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oxhhdmmirr reg_value C:\Users\test22\AppData\Roaming\scllhqqyuuea\ajss.exe "C:\Users\test22\AppData\Local\Temp\agodzx.exe"
Process injection Process 2552 called NtSetContextThread to modify thread in remote process 2656
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321408
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000214
process_identifier: 2656
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Agent.tshg
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Variant.Nemesis.22774
Malwarebytes Generic.Malware/Suspicious
VIPRE Gen:Variant.Nemesis.22774
Sangfor Trojan.Win32.Agent.Vsd9
CrowdStrike win/malicious_confidence_100% (W)
Cyren W32/Injector.BOI.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ETBP
APEX Malicious
Kaspersky Trojan.Win32.Inject.aozpe
BitDefender Gen:Variant.Nemesis.22774
Avast Win32:InjectorX-gen [Trj]
Emsisoft Gen:Variant.Nemesis.22774 (B)
F-Secure Heuristic.HEUR/AGEN.1300410
DrWeb Trojan.Siggen9.48175
McAfee-GW-Edition BehavesLike.Win32.Generic.dc
Trapmine malicious.moderate.ml.score
FireEye Generic.mg.8001fc3355e347eb
Sophos Mal/Generic-S
Ikarus Trojan-Spy.FormBook
GData Win32.Trojan.Agent.J6UQU3
Avira HEUR/AGEN.1300410
Arcabit Trojan.Nemesis.D58F6 [many]
ZoneAlarm HEUR:Trojan.Win32.Injexa.gen
Microsoft Trojan:Win32/Formbook!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win.Generic.R585815
Acronis suspicious
McAfee Artemis!8001FC3355E3
MAX malware (ai score=88)
Cylance unsafe
Panda Trj/GdSda.A
Rising Trojan.Tnega!8.11997 (TFE:6:Tilu0gPawtJ)
SentinelOne Static AI - Suspicious PE
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:InjectorX-gen [Trj]
Cybereason malicious.355e34
DeepInstinct MALICIOUS