popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

romankon2.1.exe

NSIS UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 11, 2023, 7:47 a.m. Oct. 11, 2023, 7:50 a.m.
Size 335.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f66044875f6dff90814d4b09be15bde7
SHA256 6168bfdf30f058beb000e91b1ccdb8e264318f8e311f186245b16b8217787c9d
CRC32 28A6B4E2
ssdeep 6144:6XFKo5k+LR/J+11afFMWPAc/ss80OORbcrFZowHA45h7QQSBrv:6Xo8R/4ofCWoc/snKKBZowHF5h9SBrv
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49168 -> 156.241.138.74:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 198.49.23.145:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 15.197.148.33:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 146.75.50.236:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
suspicious_features GET method with no useragent header suspicious_request GET http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
suspicious_features GET method with no useragent header suspicious_request GET http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0
suspicious_features GET method with no useragent header suspicious_request GET http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0
request GET http://www.trailblazerbaby.com/ge06/?cxlL6=Vn36JpzNTKaSb0MTbSztLcrwH0nGOIWlPxp5C0tdRb7z35/kOAEpp28Rs4alwfkjtZwLX/a3&Tj=YBZ0
request GET http://www.seoulbeautytw.com/ge06/?cxlL6=Qc2b7R052BxaaIixZxZchyIrCtI6dOvdNg5lwCRd5bjXdsmVEtEF/rdDBYlFLrvTnx09Yrft&Tj=YBZ0
request GET http://www.bowllywood.com/ge06/?cxlL6=uEJyp/LCRcqeyVkDqWXotAOO7ojlhdOeJwNXEXO62CdMmnp4nkE9E2jcl8Y9Q/hLDx6OjvQc&Tj=YBZ0
request GET http://www.oneresi.com/ge06/?cxlL6=TxZz26qHBFBWLipdaFP8DXj847gFVWoG3E2dnld5pyULLNin+5TsGSuzug1CwjEl4T2LS/ZH&Tj=YBZ0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2120
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2120
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\odjkem.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2120 called NtSetContextThread to modify thread in remote process 2200
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321504
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000cc
process_identifier: 2200
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Trojan.Garf.Gen.7
Skyhigh BehavesLike.Win32.Generic.fc
Cylance unsafe
Cybereason malicious.24fc93
Arcabit Trojan.Garf.Gen.7 [many]
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
APEX Malicious
Kaspersky UDS:Trojan.Win32.Strab.dby
BitDefender Trojan.Garf.Gen.7
Avast Win32:TrojanX-gen [Trj]
Emsisoft Trojan.Garf.Gen.7 (B)
VIPRE Trojan.Garf.Gen.7
FireEye Generic.mg.f66044875f6dff90
Ikarus Trojan.NSIS.Agent
MAX malware (ai score=83)
Kingsoft malware.kb.a.926
Microsoft Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Trojan.NSISX.Spy.Gen.24
Google Detected
BitDefenderTheta Gen:NN.ZexaF.36738.kmW@am@X1vm
ALYac Trojan.NSISX.Spy.Gen.24
VBA32 BScope.Trojan.Injector
Rising Trojan.Generic@AI.98 (RDML:mwyyO29IPUCFKmAs6/hp+Q)
AVG Win32:TrojanX-gen [Trj]
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_100% (W)