popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Fnvtdhenapsfwu.exe

Malicious Library Admin Tool (Sysinternals etc ...) UPX PE32 PE File MZP Format URL Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 6, 2023, 7:39 a.m. Sept. 6, 2023, 7:41 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cffe529403460c6affe0f52c1e7de602
SHA256 56a3dc5c90ade897e349ba0fd0433770dcdda32b5bd2a1c6608b2af2f9b34c05
CRC32 5906EE6F
ssdeep 24576:ORTaL+A2f8Zhp8bYm1EnyWjkf0eFuPD+4m:gTaKsh
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • mzp_file_format - MZP(Delphi) file format
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
wsvdyhrgebwhevawe.ydns.eu
A 81.161.229.9
81.161.229.9
tornado.ydns.eu
A 193.42.32.61
193.42.32.61
orifak.ydns.eu
A 193.42.32.61
193.42.32.61
IP Address Status Action
164.124.101.2 Active Moloch
193.42.32.61 Active Moloch
81.161.229.9 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 193.42.32.61:1972 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.42.32.61:1972 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49166
193.42.32.61:1972 		None None None
TLS 1.3
192.168.56.103:49165
193.42.32.61:1972 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .itext
packer BobSoft Mini Delphi -> BoB / BobSoft
request GET http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2412
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1b110000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description SndVol.exe tried to sleep 289 seconds, actually delayed analysis time by 289 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x1b11a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x1b110000
0 0
Bkav W32.AIDetectMalware
FireEye Generic.mg.cffe529403460c6a
McAfee Artemis!CFFE52940346
Cybereason malicious.f87c2c
Cyren W32/Trojan.EBVR-7686
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 Win32/TrojanDownloader.ModiLoader.VX
APEX Malicious
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Avast FileRepMalware [Trj]
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Infected.th
Ikarus Win32.Outbreak
Webroot W32.Malware.Gen
Antiy-AVL Trojan/Win32.Wacatac
Gridinsoft Trojan.Win32.Gen.bot
Microsoft Trojan:Win32/Generic
ZoneAlarm UDS:DangerousObject.Multi.Generic
Google Detected
BitDefenderTheta Gen:NN.ZelphiF.36662.lLW@amsC8Rpi
VBA32 BScope.Backdoor.Remcos
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R002H0DI523
Rising Downloader.ModiLoader!8.17B13 (TFE:5:xJYR0O63t)
SentinelOne Static AI - Suspicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.ESCX!tr
AVG FileRepMalware [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)