popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

audiodgse.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 18, 2023, 7:44 a.m. Oct. 18, 2023, 7:59 a.m.
Size 351.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 68c674b8751ee53b3dcb6d6f10b0bc0c
SHA256 87556c6d6258649af9a9e20761a1702c005a3d633933ed0ee76375965ad4d6c1
CRC32 7098F8A7
ssdeep 6144:jfL+oqjzQJikMGIb8iANj4ILBHmbGdjwqQ7aEoo299rVY1DlODccKS0mIlPDNxsL:jfLwkcGIbNy4gQsBEP2vra16c80m0kGw
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.03ss.vip
CNAME 63a4ffed.mycdn.online
www.uadmxqby.click
www.sarthaksrishticreation.com
CNAME sarthaksrishticreation.com
A 119.18.49.69
119.18.49.69
www.sofbks.top
IP Address Status Action
119.18.49.69 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 119.18.49.69:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.sarthaksrishticreation.com/sy22/?nJ=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&FF=5jUlfzd8q0bt4Bo
request GET http://www.sarthaksrishticreation.com/sy22/?nJ=++s7hqRnDFs/g5YbNhmDQGydnZIcmR65wuKS6+wpOQxc/+r74UhYv08VjUB0PTEo7NuOximl&FF=5jUlfzd8q0bt4Bo
domain www.sofbks.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00950000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\phkktza.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2056 called NtSetContextThread to modify thread in remote process 2124
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1834964
registers.edi: 0
registers.eax: 4321616
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d4
process_identifier: 2124
1 0 0