popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Owpxkxlhneicvr.scr

Malicious Library UPX PE32 URL Format MZP Format PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 20, 2023, 5:56 p.m. Sept. 20, 2023, 6 p.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 79b7474ded312cda4a0bd477ddf78378
SHA256 3880c8403a1377ae8bbcc6f782e51839364c9e2e9e29ea9a02d011eeefd51d69
CRC32 289BBDB1
ssdeep 12288:QQGIc/IHeXIZ7dF+Xa4IkmeQ+rp6pBBFKxdLIJuVvFTqlCtop7p7R8H9xvUincHL:Q3Ic+ZzOFcfDcchpd+Y0MSiy
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • mzp_file_format - MZP(Delphi) file format

Name Response Post-Analysis Lookup
geoplugin.net
A 178.237.33.50
178.237.33.50
tornado.ydns.eu
A 193.42.32.61
193.42.32.61
troubletorn.ydns.eu
A 193.42.32.61
193.42.32.61
IP Address Status Action
164.124.101.2 Active Moloch
178.237.33.50 Active Moloch
193.42.32.61 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 193.42.32.61:1972 2036594 ET JA3 Hash - Remcos 3.x TLS Connection Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.3
192.168.56.103:49166
193.42.32.61:1972 		None None None

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section CODE
section DATA
section BSS
packer BobSoft Mini Delphi -> BoB / BobSoft
suspicious_features GET method with no useragent header suspicious_request GET http://geoplugin.net/json.gp
request GET http://troubletorn.ydns.eu/x/yaztdtgfd/Owpxkxlhnei
request GET http://geoplugin.net/json.gp
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2488
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2488
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 2488
region_size: 532480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0f340000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description SndVol.exe tried to sleep 299 seconds, actually delayed analysis time by 299 seconds
Time & API Arguments Status Return Repeated

SetWindowsHookExA

 thread_identifier: 0
callback_function: 0x0f34a2a4
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x0f340000
0 0
Bkav W32.AIDetectMalware
Elastic malicious (high confidence)
FireEye Generic.mg.79b7474ded312cda
Cybereason malicious.09dd73
Cyren W32/ModiLoader.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky HEUR:Backdoor.Win32.Remcos.gen
Avast DropperX-gen [Drp]
Sophos ML/PE-A
Ikarus Trojan.Inject
ZoneAlarm HEUR:Backdoor.Win32.Remcos.gen
Google Detected
AhnLab-V3 Trojan/Win.Generic.R575480
Cylance unsafe
Rising Downloader.Agent!1.E646 (CLASSIC)
Fortinet W32/Formbook.AA!tr
AVG DropperX-gen [Drp]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_90% (W)