popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

game_1.exe

Gen1 Generic Malware .NET framework(MSIL) Malicious Library UPX Malicious Packer Anti_VM ftp OS Name Check .NET DLL PNG Format OS Memory Check PE File OS Processor Check JPEG Format PE32 .NET EXE DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 28, 2024, 7:46 a.m. March 28, 2024, 7:49 a.m.
Size 127.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 a9ccc460407d9f29da334921bc5c1bf9
SHA256 b36dd9e6da5db0dc490573955df695ff05c7789695cc868268c7bb744e50cd14
CRC32 165B880F
ssdeep 1536:LndwttufsqHwqjWArz0D4/z/A0qcR/AxcccccccccT6xcccccccccA6xcccccccS:7dwWsF1XDWLAlcNP/71Hj+Mrf
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
yigeyo.xyz
A 185.117.88.231
185.117.88.231
IP Address Status Action
185.117.88.231 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49163 -> 185.117.88.231:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 185.117.88.231:80 -> 192.168.56.103:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
request GET http://yigeyo.xyz/21_2/huge.dat
file C:\Users\test22\AppData\Roaming\Pinball\Pinball.exe
file C:\Users\test22\AppData\Local\Temp\setup.exe
file C:\Users\test22\AppData\Local\Temp\nsrC2FF.tmp\INetC.dll
file C:\Users\test22\AppData\Roaming\Pinball\libEGL.dll
file C:\Users\test22\AppData\Roaming\Pinball\Snetchball.exe
file C:\Users\test22\AppData\Roaming\Pinball\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\Pinball\chrome_elf.dll
file C:\Users\test22\AppData\Roaming\Pinball\d3dcompiler_47.dll
file C:\Users\test22\AppData\Local\Temp\nsrC2FF.tmp\nsProcess.dll
file C:\Users\test22\AppData\Roaming\Pinball\Del.exe
file C:\Users\test22\AppData\Roaming\Pinball\Xilium.CefGlue.dll
file C:\Users\test22\AppData\Roaming\Pinball\Ionic.Zip.dll
file C:\Users\test22\AppData\Roaming\Pinball\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Roaming\Pinball\Newtonsoft.Json.dll
file C:\Users\test22\AppData\Roaming\Pinball\Pinball.exe
file C:\Users\test22\AppData\Roaming\Pinball\libEGL.dll
file C:\Users\test22\AppData\Roaming\Pinball\chrome_elf.dll
file C:\Users\test22\AppData\Roaming\Pinball\Snetchball.exe
file C:\Users\test22\AppData\Local\Temp\setup.exe
file C:\Users\test22\AppData\Roaming\Pinball\Ionic.Zip.dll
file C:\Users\test22\AppData\Roaming\Pinball\libGLESv2.dll
file C:\Users\test22\AppData\Roaming\Pinball\Del.exe
file C:\Users\test22\AppData\Roaming\Pinball\Xilium.CefGlue.dll
file C:\Users\test22\AppData\Local\Temp\nsrC2FF.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\nsrC2FF.tmp\nsProcess.dll
file C:\Users\test22\AppData\Roaming\Pinball\d3dcompiler_47.dll
Kaspersky UDS:DangerousObject.Multi.Generic
ZoneAlarm UDS:DangerousObject.Multi.Generic
DeepInstinct MALICIOUS
CrowdStrike win/malicious_confidence_70% (W)
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@Ⱥ´ Í!¸LÍ!This program cannot be run in DOS mode. $­1)éPGÒéPGÒéPGÒ*_ÒëPGÒéPFÒIPGÒ*_ÒæPGÒ½swÒãPGÒ.VAÒèPGÒRichéPGÒPEL›Oaà dÐÌ4€@ @…8„ àˆ8€œ.textŸcd `.rdatav€h@@.dataX¨ |@À.ndataP€À.rsrcˆ8à:‚@@U‹ìƒì\ƒ} t+ƒ} F‹Eu ƒH‹ HGB‰HPÿuÿu ÿuÿd‚@éBSV‹5PGBE¤WPÿuÿ\‚@ƒeô‰E EäPÿuÿl‚@‹}ðƒeð‹`€@逶FR¶VV¯Uè‹Ï+Mè¯Á‰M™÷ÿ3Ҋð¶FQ¯Á¶NU¯MèÁ‹Ê™÷ÿ¶VT¯UèŠÈ¶FP¯E™÷ÿÁá¶À ȍEôP‰Møÿ\€@ƒEð‰EPEäPÿu ÿ¸@ÿuÿӃEè9}èŒwÿÿÿƒ~Xÿteÿv4ÿX€@…À‰EtU‹} jWÇEäÇEèÿL€@ÿvXWÿd€@ÿu‹5h€@Wÿ։E Eäh Pjÿh@?BWÿh‚@ÿu WÿÖÿuÿӍE¤Pÿuÿp‚@_^3À[É‹L$¡hGB‹ÑSiÒVW‹TöÂtOq3ÿ;5lGBsB‹ÎiɍD‹öÁtGëöÁt ‹ÏO…Ét ëöÁu ‹Ù3ڃã3ىF;5lGBrÊ_^[ÂU‹ìQQ‹USV‹òiö‹hGB3ÉóW‰Mü‰Mø‹F¨t 9M t$¾B‰F;lGBsD‹ÂiÀ|B‹öÁt jRè¥ÿÿÿ‹öÁu(öÁ@tÿEüöÁtÿEüëÿEø;lGB‹Ðr¼3À_^[Ƀ}ütóƒ}øtƒN@ëç‹N€áƒÉ‰NëًL$¡hGBV3öƒù s495lGBv,PW‹¨u3ÿGÓç…züt ë$þ‰FÂ;5lGBrÙ_^ÂU‹ìƒì ¡PGBƒeüSV”W‹=lGB‰Eø‹Eø3Û9tK;ßsE‹5hGBƒÆ‹öÂu(‹E…Àtƒ<˜t‹Mü3À@ƒâÓà‹Nü#ȋÁ‹MüÓâ;Âu CÆ;ßrÆ;ßt ÿEüƒEøƒ}ü rŸ‹Eü_^[É‹D$…À}@¹PBÁà +ÈQèyOÂV‹t$ëj‹Æ‹ pGBkÀÁƒ8t\PèŒ=ÿÿÿtUPè¸ÿÿÿ…Àu@FëH‹Î‹ð+Áƒ|$ t/,?Bjÿ5?Bh0uÿ5,?Bÿd@Phÿt$ÿ`‚@…ö}’3À^¸ÿÿÿëõ‹D$‹ PGBjÿtlèiÿÿÿÂh ¨@ÿt$èx@ÂU‹ììСHGBSV‹uWjY}ԉEø3Ûó¥‹E؋U܋ð‹úÁæ ¹PB‰]üÁç ñùM؉ \¸@‹MԃÁþƒùA‡<ÿ$×*@SPè@éóÿ ?B9]ø„äSÿ(‚@éØPè°þÿÿHSPèÄþÿÿéSPèØ?éïSè;ƒøY‰UÈ3À@Pÿì€@éÑÿuøÿ ‚@éÃÁà9]àu&‹ˆÀGBj‰ˆ HBèúY‰UȋM؉ÀGBé•‹ˆ HB‰ˆÀGBé„‹Eà4…ÀGB3À‹;Ë”À#Mä‹D…؉énÿ4•ÀGBVéÓ‹ ?B‹50‚@;ËtRQÿ֋E؋ $?B;Ë„1PQÿÖé(jðè•ÿuÜPÿü€@…À…é jðèw‹øWèéG‹ð;ótTj\VèmG‹ðŠˆ:ÈE u9]àtèD…ÀtWèvCëWèëC;Ãt=·u Wÿô€@¨uÿEüŠE ˆF:Ãu¬9]Üt)jæèóýÿÿWh¨BèMMWÿø€@…À…{ÿEüésjõéŒ SèÚPèšPé¥jÐèÈjߋðè¿j‹øè¶WVÿ@…ÀtjãéO 9]à„)VèZP…À„WVè­Jjäé* Sèx‹ðEPWhVÿ@…Àt#‹E;Æv%8t!VèP;ÃtƒÀ,PÿuèLë ÇEüˆ9]à…¸hWWÿ@é¦jÿèMQVhSPSÿ@…À…„éVjïèìPVèöGéUþÿÿj1èÙ‹ð‹E؃àV‰uø‰EèFV¾ ¤@…ÀtVèLëh¨BVè÷KPèƒEPèLVèÃN¿ ¬@ƒ}|1VèKO3É;ÃtMäƒÀQPÿ @‹È‹EƒÀý €#Á÷ØÀ@‰E9]uVè G3Àƒ}•À@Ph@VèGƒøÿ‰Eôuv9]uShPBWèpKVhPBèeKÿuìh ¨@èëKWhPBèMK‹EØÁøPh ¨@èRBƒè„SÿÿÿHtVjúé2üÿÿÿuøjâè?<ƒ}é=ýÿÿÿÈGBéPÿuøjêè!<ÿôGBSSÿuôÿuàèbÿ ôGBƒ}äÿ‹øuƒ}èÿtEäPEäSPÿuôÿ@ÿuôÿ @;ûóƒÿþujéVè<KÿuøVè¼JëjîVè)Kh Vé Së4j1è2ÿuØPèŽA;Ä°;Eà„g;Eè…›‹EìéžjðèÿuÜPèBé~jèëPèJJéÏ jè·j‰EĉUÈèªY‹ø‹EÄYj‰}„‰Uˆ‰EèµP‰EÐèJ9]Ȉu‰E9]„%‹M„;Ë} <;ûŒ;ø~‹ø‹EÐÇPVèÄI9]}VèÏIEy‰]‹E=àˆ0éØj èEj1‹ðè<9]èPVuÿ@…Àuz‹Eàéºÿ@ëì3ÿGWèhVP‰Eÿ,@…Àt9]àtVÿuÿ@…Àu‰}üˆˆžÿég‹uìSè°j‹ø‰UÈè¤Y;óY‰UÈu;ø|~Œë;øs‹Eäé@†xÿÿÿ‹Eèé2jèr‹øj‰Uȉ}ècY‰UÈY‹È‹Eäƒø ‡”ÿ$…ß+@ùéZ+ùéS¯Ïë;ËtS‹Ç™÷ù‹øé> Ïë#Ïë3ϋùé-3À;û”Àëß;ûuë 3ÿé;ûtõ;Ëtñ3ÿGé;Ët ‹Ç™÷ù‹úé÷3ÿÇEüééÓçéâÓÿéÛÓïéÔ‹}éÌjèÏj‹øè¤PWV‰UÈÿ4‚@ƒÄé>‹Eà‹=`¸@;ÃtDH;û„ß‹?;Ãuñ;û„уǾ ¤@WVèÎG¡`¸@ƒÀPWè¿G¡`¸@VƒÀPéY ;Ót%;û„ä GPVèšG‹W£`¸@ÿ$@éÄ
request_handle: 0x00cc000c
1 1 0