Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

hghjhjghjhgj.exe

Generic Malware UPX Malicious Library PE64 PE File

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 1, 2024, 7:36 a.m.	April 1, 2024, 7:52 a.m.

Size	414.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e75338a175f80b85cb99b51580451d37`
SHA256	`1f12f9b84cbc176f6313d69749c69d83ac32b322ce16d4a9a48803a264a8d4dd`
CRC32	`7E2283B5`
ssdeep	`6144:66kMYlOIa6VkctankhTl2DGl8HpZRw9wx2UCH:62X8anasZq`
Yara	IsPE64 - (no description) Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware

hghjhjghjhgj.exe "C:\Users\test22\AppData\Local\Temp\hghjhjghjhgj.exe"
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
94.156.8.44	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 1, 2024, 7:29 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Communicates with host for which no DNS query was performed (1 event)

host

94.156.8.44

Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW April 1, 2024, 7:29 a.m.	key_handle: 0x0000000000000144 regkey_r: {BBF7EBB4-5D42-48CD-8A36-2DEB24A10716} reg_type: 3 (REG_BINARY) value: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÏäÈúúúäóQúdúýyúý}úýiúûõúQÏúPâú`úgúRichúPEdkùºeð" BlL{@ð@üdÐð°ìàØ` .textAB `.rdata´§`¨F@@.data^î@À.pdataì°L@@.rsrcðÐf@@.reloc àj@BDL$ LD$HT$HL$W¸ è±VH+à `ûè³=Àu3Éÿ÷O3ÀfD$PHD$RHø3À¹óªA¸HT$P3Éÿ\|aÀu3Éÿxaÿ aHD$@="ú=èc~Àu 3ÒHL$@ÿOH$ÈèUH$ÈèxjÀu 3ÒHL$@ÿ?aH ðSÿJOH$°H¼$°¢ºþÿ¹@ÿ³`H$øH¼$ø{A¸H$øH$°ÿ°`ÀIHSH$H¢SH$H³SH$HÄSH$HÍSH$ HÖSH$(HçSH$0HøSH$8H TH$@HTH$HH#TH$PH,TH$XH5TH$`HFTH$hÇ$pë$pÿÀ$p¼$p}PHc$pÇD$(dH$HL$ E3ÉA¸3ùHÄèF6H$H$øèÑeëH$øÿ9_H ÒSÿMH$ÀH¼$Àºþÿ¹@ÿí^H$ðH¼$ð]A¸H$ðH$Àÿê^À+HSH$HSH$HSH$HSH$H§SH$ H°SH$(H¹SH$0HÊSH$8HÛSH$@HìSH$HHýSH$PHTH$XÇ$`ë$`ÿÀ$`¼$`}PHc$`ÇD$(dH$pHL$ E3ÉA¸÷HÄè4H$pH$ðè)dëH$ðÿ]H SÿÜKH$èH¼$èßºþÿ¹@ÿE]H$àH¼$à¸A¸H$àH$èÿB]ÀH3SH$èÇ$ðë$ðÿÀ$ð¼$ð}PHc$ðÇD$(dH$HL$ E3ÉA¸öHÄèè3H$H$àè&cëH$àÿ\H ¿RÿÙJH$ðH¼$ðºþÿ¹@ÿB\H$pH¼$påA¸H$pH$ðÿ?\À³HhRH$xHyRH$HRH$HRH$Ç$ë$ÿÀ$¼$}PHc$ÇD$(dH$ HL$ E3ÉA¸XõHÄxèk2H$ H$pèöaëH$pÿ^[H Rÿ©IH$¸H¼$¸ºþÿ¹@ÿ[H$H¼$åA¸H$H$¸ÿ[À³HÈQH$HÙQH$ HòQH$(HRH$0Ç$8ë$8ÿÀ$8¼$8}PHc$8ÇD$(dH$@HL$ E3ÉA¸(ôHÄè;1H$@H$èÆ`ëH$ÿ.ZH$Èè)gÀu 3ÒHL$@ÿPZH$Èè{Ç$HÇ$Ç$ LÂ3ÒH$ÿYH+VH=#Vu3ÉÿÑY=F uè«èÆ2øLN3Ò¹ÿÑGHÚUH=ÒUu3ÉÿèYHÇ$°L53Ò¹ÿ¸YH$°H¼$°u3ÉÿYH$°ÿYH$°ÿéXè 3ÉÿYèçÀu3Éÿ[GHÇ$xLz)3Ò¹ÿ{XH$xH¼$xtH$xÿX3ÉÿGL=)º3ÉÿVXHÀu3Éÿ©X=&u3=éUuèª¦Àu!è¯ø rHL$Pè5øu3ÉÿmX=òu]=±UuTèÎ®ø rJèd¦øu@Hò öñèëH$¸H¼$¸tH$¸èðH$¸ÿçWL¶º3ÉÿWH$8H¼$8u¹ÿÿÿÿÿFÿWX=·u¹ÿÿÿÿÿ½WLòº3ÉÿIWH$(H¼$(u3ÉÿÖEH ÃèZªL E3Àº3ÉÿSWH¤SH=Su¹ÿÿÿÿÿOWÿÑW=·u3ÉÿEH Óèª=·ìïA¸ÿH$À3ÉÿWÀÉfº\H$ÀèÚ3ÉfH$ÀH ¦éèaH$ÈH¼$È~fº\H$Èè3Éfºþÿ¹@ÿdVH$ÐH¼$Ð1H$Ð¹ÿÿDÀfº\H$ÐèA3ÉfH$ÈH$ÀÿÎXÀÊH$ÐH$Àÿ°XÀ¬ÿ¢UH$èH$ØH$èÿ$]H$àHý regkey: HKEY_CURRENT_USER\Software\{F0BABA1C-0A42-4DE7-AEC0-6F13AD7E45D9}\{BBF7EBB4-5D42-48CD-8A36-2DEB24A10716}	1	0	0

Manipulates memory of a non-child process indicative of process injection (7 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2576 manipulating memory of non-child process 2664
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000158 process_identifier: 2664 commit_size: 0 win32_protect: 4 (PAGE_READWRITE) buffer: base_address: 0x0000000000090000 allocation_type: 0 () section_offset: 0 view_size: 4096 process_handle: 0x0000000000000150	1	0	0
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000154 process_identifier: 2664 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00000000000a0000 allocation_type: 0 () section_offset: 0 view_size: 4096 process_handle: 0x0000000000000150	1	0	0
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000164 process_identifier: 2664 commit_size: 0 win32_protect: 4 (PAGE_READWRITE) buffer: base_address: 0x00000000000b0000 allocation_type: 0 () section_offset: 0 view_size: 425984 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x0000000000090000 region_size: 4096 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x00000000000a0000 region_size: 4096 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x00000000000b0000 region_size: 425984 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0

Stores an executable in the registry (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW April 1, 2024, 7:29 a.m.	key_handle: 0x0000000000000144 regkey_r: {BBF7EBB4-5D42-48CD-8A36-2DEB24A10716} reg_type: 3 (REG_BINARY) value: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÏäÈúúúäóQúdúýyúý}úýiúûõúQÏúPâú`úgúRichúPEdkùºeð" BlL{@ð@üdÐð°ìàØ` .textAB `.rdata´§`¨F@@.data^î@À.pdataì°L@@.rsrcðÐf@@.reloc àj@BDL$ LD$HT$HL$W¸ è±VH+à `ûè³=Àu3Éÿ÷O3ÀfD$PHD$RHø3À¹óªA¸HT$P3Éÿ\|aÀu3Éÿxaÿ aHD$@="ú=èc~Àu 3ÒHL$@ÿOH$ÈèUH$ÈèxjÀu 3ÒHL$@ÿ?aH ðSÿJOH$°H¼$°¢ºþÿ¹@ÿ³`H$øH¼$ø{A¸H$øH$°ÿ°`ÀIHSH$H¢SH$H³SH$HÄSH$HÍSH$ HÖSH$(HçSH$0HøSH$8H TH$@HTH$HH#TH$PH,TH$XH5TH$`HFTH$hÇ$pë$pÿÀ$p¼$p}PHc$pÇD$(dH$HL$ E3ÉA¸3ùHÄèF6H$H$øèÑeëH$øÿ9_H ÒSÿMH$ÀH¼$Àºþÿ¹@ÿí^H$ðH¼$ð]A¸H$ðH$Àÿê^À+HSH$HSH$HSH$HSH$H§SH$ H°SH$(H¹SH$0HÊSH$8HÛSH$@HìSH$HHýSH$PHTH$XÇ$`ë$`ÿÀ$`¼$`}PHc$`ÇD$(dH$pHL$ E3ÉA¸÷HÄè4H$pH$ðè)dëH$ðÿ]H SÿÜKH$èH¼$èßºþÿ¹@ÿE]H$àH¼$à¸A¸H$àH$èÿB]ÀH3SH$èÇ$ðë$ðÿÀ$ð¼$ð}PHc$ðÇD$(dH$HL$ E3ÉA¸öHÄèè3H$H$àè&cëH$àÿ\H ¿RÿÙJH$ðH¼$ðºþÿ¹@ÿB\H$pH¼$påA¸H$pH$ðÿ?\À³HhRH$xHyRH$HRH$HRH$Ç$ë$ÿÀ$¼$}PHc$ÇD$(dH$ HL$ E3ÉA¸XõHÄxèk2H$ H$pèöaëH$pÿ^[H Rÿ©IH$¸H¼$¸ºþÿ¹@ÿ[H$H¼$åA¸H$H$¸ÿ[À³HÈQH$HÙQH$ HòQH$(HRH$0Ç$8ë$8ÿÀ$8¼$8}PHc$8ÇD$(dH$@HL$ E3ÉA¸(ôHÄè;1H$@H$èÆ`ëH$ÿ.ZH$Èè)gÀu 3ÒHL$@ÿPZH$Èè{Ç$HÇ$Ç$ LÂ3ÒH$ÿYH+VH=#Vu3ÉÿÑY=F uè«èÆ2øLN3Ò¹ÿÑGHÚUH=ÒUu3ÉÿèYHÇ$°L53Ò¹ÿ¸YH$°H¼$°u3ÉÿYH$°ÿYH$°ÿéXè 3ÉÿYèçÀu3Éÿ[GHÇ$xLz)3Ò¹ÿ{XH$xH¼$xtH$xÿX3ÉÿGL=)º3ÉÿVXHÀu3Éÿ©X=&u3=éUuèª¦Àu!è¯ø rHL$Pè5øu3ÉÿmX=òu]=±UuTèÎ®ø rJèd¦øu@Hò öñèëH$¸H¼$¸tH$¸èðH$¸ÿçWL¶º3ÉÿWH$8H¼$8u¹ÿÿÿÿÿFÿWX=·u¹ÿÿÿÿÿ½WLòº3ÉÿIWH$(H¼$(u3ÉÿÖEH ÃèZªL E3Àº3ÉÿSWH¤SH=Su¹ÿÿÿÿÿOWÿÑW=·u3ÉÿEH Óèª=·ìïA¸ÿH$À3ÉÿWÀÉfº\H$ÀèÚ3ÉfH$ÀH ¦éèaH$ÈH¼$È~fº\H$Èè3Éfºþÿ¹@ÿdVH$ÐH¼$Ð1H$Ð¹ÿÿDÀfº\H$ÐèA3ÉfH$ÈH$ÀÿÎXÀÊH$ÐH$Àÿ°XÀ¬ÿ¢UH$èH$ØH$èÿ$]H$àHý regkey: HKEY_CURRENT_USER\Software\{F0BABA1C-0A42-4DE7-AEC0-6F13AD7E45D9}\{BBF7EBB4-5D42-48CD-8A36-2DEB24A10716}	1	0	0

Creates known RBot files, registry keys and/or mutexes (1 event)

mutex

{CFE36BE9-C94B-4FD5-9556-12D4063D9BB1}

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 1, 2024, 7:29 a.m.	thread_identifier: 2668 thread_handle: 0x0000000000000148 process_identifier: 2664 current_directory: C:\Windows filepath: C:\Windows\explorer.exe track: 1 command_line: filepath_r: C:\Windows\explorer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000150	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

94.156.8.44:4787

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return	Repeated
NtResumeThread April 1, 2024, 7:29 a.m.	thread_handle: 0x00000000000000e8 suspend_count: 1 process_identifier: 2576	1	0	0
CreateProcessInternalW April 1, 2024, 7:29 a.m.	thread_identifier: 2668 thread_handle: 0x0000000000000148 process_identifier: 2664 current_directory: C:\Windows filepath: C:\Windows\explorer.exe track: 1 command_line: filepath_r: C:\Windows\explorer.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000150	1	1	0
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000158 process_identifier: 2664 commit_size: 0 win32_protect: 4 (PAGE_READWRITE) buffer: base_address: 0x0000000000090000 allocation_type: 0 () section_offset: 0 view_size: 4096 process_handle: 0x0000000000000150	1	0	0
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000154 process_identifier: 2664 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x00000000000a0000 allocation_type: 0 () section_offset: 0 view_size: 4096 process_handle: 0x0000000000000150	1	0	0
NtMapViewOfSection April 1, 2024, 7:29 a.m.	section_handle: 0x0000000000000164 process_identifier: 2664 commit_size: 0 win32_protect: 4 (PAGE_READWRITE) buffer: base_address: 0x00000000000b0000 allocation_type: 0 () section_offset: 0 view_size: 425984 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x0000000000090000 region_size: 4096 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x00000000000a0000 region_size: 4096 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0
NtUnmapViewOfSection April 1, 2024, 7:29 a.m.	base_address: 0x00000000000b0000 region_size: 425984 process_identifier: 2664 process_handle: 0x0000000000000150	1	0	0