popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

fmodstudio64.exe

UPX Malicious Library OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 4, 2023, 7:40 a.m. Oct. 4, 2023, 7:42 a.m.
Size 3.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5f32065d2330cb09aee6ed9fa7ed1c21
SHA256 4a35f8134f64ad28c5fe261d7cf15256ecd758566c2ddbf4bd962925502ade41
CRC32 8DA13C90
ssdeep 98304:UVHFXSCmqsSgfkV9ft9gnOMmgqT6d9y426tTB:UVHFXSCmqsMXl9oPfCzB09
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
passport.weibo.com
CNAME login.sina.com.cn
A 36.51.224.27
36.51.224.27
weibo.com
A 36.51.224.53
A 36.51.224.114
36.51.224.114
IP Address Status Action
164.124.101.2 Active Moloch
36.51.224.27 Active Moloch
36.51.224.53 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49161 -> 36.51.224.53:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49162 -> 36.51.224.27:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49161
36.51.224.53:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust CN RSA CA G1 C=CN, ST=Beijing, O=Sina.com Technology(China)Co.,ltd, CN=weibo.cn 79:ba:c8:0e:94:43:4a:82:24:d9:a7:d4:07:56:67:c1:6b:ed:51:bb
TLSv1
192.168.56.103:49162
36.51.224.27:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust CN RSA CA G1 C=CN, ST=Beijing, O=Sina.com Technology(China)Co.,ltd, CN=sina.com d8:ca:c3:ab:c9:0b:74:8c:48:4d:64:e8:35:c3:6c:95:f2:de:cb:fa

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name RO
suspicious_features GET method with no useragent header suspicious_request GET https://weibo.com/
suspicious_features GET method with no useragent header suspicious_request GET https://passport.weibo.com/visitor/visitor?entry=miniblog&a=enter&url=https%3A%2F%2Fweibo.com%2F&domain=weibo.com&_rand=1696372813674&sudaref=
request GET https://weibo.com/
request GET https://passport.weibo.com/visitor/visitor?entry=miniblog&a=enter&url=https%3A%2F%2Fweibo.com%2F&domain=weibo.com&_rand=1696372813674&sudaref=
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740d6000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740d1000
process_handle: 0xffffffff
1 0 0
cmdline C:\Windows\SysWOW64\cmd.exe
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x000003dc
process_identifier: 2156
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\cmd.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003e0
1 1 0
section {u'size_of_data': u'0x0000e000', u'virtual_address': u'0x00155000', u'entropy': 7.206453493549018, u'name': u'.data', u'virtual_size': u'0x000d2908'} entropy 7.20645349355 description A section with a high entropy has been found
section {u'size_of_data': u'0x000d3000', u'virtual_address': u'0x00228000', u'entropy': 7.616856032740824, u'name': u'.rsrc', u'virtual_size': u'0x000d2518'} entropy 7.61685603274 description A section with a high entropy has been found
entropy 0.398230088496 description Overall entropy of this PE file is high
Sangfor Trojan.Win32.Agent.V7hh
Symantec Trojan.Gen.MBT
Kaspersky Trojan.Win32.Penguish.cr
Avast FileRepMalware [Misc]
TrendMicro TrojanSpy.Win32.LUMMASTEALER.YXDJCZ
McAfee-GW-Edition Artemis
Sophos Mal/Generic-S
ZoneAlarm Trojan.Win32.Penguish.cr
Microsoft Trojan:Script/Phonzy.B!ml
McAfee Artemis!5F32065D2330
VBA32 BScope.Trojan.Penguish
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win32.LUMMASTEALER.YXDJCZ
AVG FileRepMalware [Misc]
DeepInstinct MALICIOUS
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob