popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

expo.exe

UPX Malicious Library AntiDebug PE File OS Processor Check PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 15, 2023, 5:25 p.m. Sept. 15, 2023, 5:34 p.m.
Size 1.8MB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 f94bf3a0e3733958d4973ef664f78927
SHA256 7a266b1d528127259dc89f9d9410b19c5ab55247034db6e4ec8f37c1b51bee79
CRC32 B2A530A8
ssdeep 24576:DMdQ1KOpYU/hsYVNQnb3iUBDqd6a9Dhvh9wj78ptl:31F/hsYVNQ+UI6a3vHwj78pv
PDB Path C:\AziX5sd0UIh45JJEBNErGAvcuDPjdvkT\Ghost.pdb
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
5.42.92.211 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49165 -> 5.42.92.211:80 2047625 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) A Network Trojan was detected
TCP 192.168.56.101:49165 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic

Suricata TLS

No Suricata TLS

pdb_path C:\AziX5sd0UIh45JJEBNErGAvcuDPjdvkT\Ghost.pdb
section .00cfg
packer Microsoft Visual C++ V8.0 (Debug)
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://5.42.92.211/loghub/master
request POST http://5.42.92.211/loghub/master
request POST http://5.42.92.211/loghub/master
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 5.42.92.211
Bkav W32.AIDetectMalware
MicroWorld-eScan Trojan.Agent.GGRT
FireEye Trojan.Agent.GGRT
McAfee Artemis!F94BF3A0E373
Malwarebytes Spyware.PasswordStealer
Sangfor Backdoor.Win32.Injector.V0st
Alibaba Backdoor:Win32/Injector.301c4936
Cyren W32/Kryptik.KRA.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETFD
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Malware.Exploitx-9967939-0
Kaspersky HEUR:Backdoor.Win32.Agent.gen
BitDefender Trojan.Agent.GGRT
Avast Win32:Evo-gen [Trj]
DrWeb Trojan.KillProc2.21446
TrendMicro Trojan.Win32.SMOKELOADER.YXDIOZ
McAfee-GW-Edition Artemis!Trojan
Sophos Mal/Generic-S
Ikarus Win32.Outbreak
Webroot W32.Trojan.Gen
Antiy-AVL Trojan/Win32.Injector
Microsoft Trojan:Win32/Znyonm
Gridinsoft Ransom.Win32.Sabsik.sa
Arcabit Trojan.Agent.GGRT
ZoneAlarm HEUR:Backdoor.Win32.Agent.gen
Google Detected
MAX malware (ai score=80)
Cylance unsafe
Panda Trj/Genetic.gen
Rising Backdoor.Agent!8.C5D (TFE:5:CeppGcuQMQO)
MaxSecure Trojan.Malware.121218.susgen
Fortinet W32/Injector.ETFD!tr
AVG Win32:Evo-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)