popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

pei.exe

Generic Malware UPX Downloader Admin Tool (Sysinternals etc ...) Malicious Library Malicious Packer PE File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 16, 2024, 10:57 a.m. July 16, 2024, 10:59 a.m.
Size 9.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8d8e6c7952a9dc7c0c73911c4dbc5518
SHA256 feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278
CRC32 321BBC61
ssdeep 96:zMn7AN23D0TXraYgnY1dTNDiIp+BYA8vrcVO15uJxGE9YUBz2qh3C7tCEkC:A7ANUYhUYPtp+OFMJxTmUBzthckC
Yara
  • Network_Downloader - File Downloader
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
twizt.net
A 185.215.113.66
185.215.113.66
www.update.microsoft.com
A 20.72.235.82
CNAME redir.update.msft.com.trafficmanager.net
20.72.235.82
IP Address Status Action
151.233.182.0 Active Moloch
151.243.192.202 Active Moloch
164.124.101.2 Active Moloch
178.90.117.247 Active Moloch
185.215.113.66 Active Moloch
188.212.185.135 Active Moloch
188.240.99.47 Active Moloch
2.183.107.200 Active Moloch
20.72.235.82 Active Moloch
31.25.131.226 Active Moloch
43.246.243.120 Active Moloch
46.167.131.62 Active Moloch
5.104.215.231 Active Moloch
5.200.174.76 Active Moloch
78.39.225.27 Active Moloch

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.66/1
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.66/2
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.66/3
request GET http://twizt.net/newtpp.exe
request GET http://twizt.net/peinstall.php
request GET http://185.215.113.66/1
request GET http://185.215.113.66/2
request GET http://185.215.113.66/3
ip 151.233.182.0
ip 151.243.192.202
ip 188.212.185.135
ip 188.240.99.47
ip 2.183.107.200
ip 43.246.243.120
ip 46.167.131.62
ip 5.104.215.231
ip 5.200.174.76
ip 78.39.225.27
description sysmablsvr.exe tried to sleep 273 seconds, actually delayed analysis time by 273 seconds
file C:\Users\test22\AppData\Local\Temp\55044911.exe
file C:\Users\test22\AppData\Local\Temp\1094611197.exe
file C:\Users\test22\AppData\Local\Temp\1291015353.exe
file C:\Users\test22\AppData\Local\Temp\3192929219.exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x000002c8
filepath: C:\Users\test22\AppData\Local\Temp\33573537.jpg
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\33573537.jpg
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000378
filepath: C:\Users\test22\tbtnds.dat
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\tbtnds.dat
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Local\Temp\3192929219.exe
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $m«qj)Ê9)Ê9)Ê9 ²•9.Ê9Q¸8+Ê9êÅB9+Ê9êÅ@9(Ê9êÅ9+Ê9 r9-Ê9)Ê9éÊ9 d9<Ê9 ²œ9-Ê9 ²›95Ê9 ²Ž9(Ê9Rich)Ê9
request_handle: 0x00cc000c
1 1 0
host 151.233.182.0
host 151.243.192.202
host 178.90.117.247
host 188.212.185.135
host 188.240.99.47
host 2.183.107.200
host 31.25.131.226
host 43.246.243.120
host 46.167.131.62
host 5.104.215.231
host 5.200.174.76
host 78.39.225.27
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings reg_value C:\Windows\sysmablsvr.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
process pei.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
process pei.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
process sysmablsvr.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
file C:\Users\test22\AppData\Local\Temp\55044911.exe:Zone.Identifier
file C:\Windows\sysmablsvr.exe:Zone.Identifier
file C:\Users\test22\AppData\Local\Temp\1094611197.exe:Zone.Identifier
file C:\Users\test22\AppData\Local\Temp\3192929219.exe:Zone.Identifier
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
description attempts to disable antivirus notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
description attempts to disable firewall notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
description attempts to disable windows update notifications registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
service wuauserv (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start)
service BITS (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start)
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Phorpiex.7!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
Skyhigh Artemis!Trojan
Cylance Unsafe
VIPRE Gen:Heur.Mint.Zard.39
Sangfor Banker.Win32.Phorpiex.Vou2
K7AntiVirus Trojan ( 005aface1 )
BitDefender Gen:Heur.Mint.Zard.39
K7GW Trojan ( 005aface1 )
Cybereason malicious.952a9d
Arcabit Trojan.Mint.Zard.39
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/GenKryptik.GPGJ
APEX Malicious
McAfee Artemis!8D8E6C7952A9
Avast Win32:CrypterX-gen [Trj]
Kaspersky HEUR:Trojan-Banker.Win32.ClipBanker.gen
Alibaba TrojanBanker:Win32/Phorpiex.24e78959
NANO-Antivirus Trojan.Win32.Phorpiex.knavfq
MicroWorld-eScan Gen:Heur.Mint.Zard.39
Rising Downloader.Agent!1.F26F (CLASSIC)
Emsisoft Gen:Heur.Mint.Zard.39 (B)
F-Secure Trojan.TR/AD.Phorpiex.hesfh
DrWeb Trojan.DownLoader46.63386
Zillya Trojan.GenKryptik.Win32.658875
TrendMicro Mal_DLDER
McAfeeD ti!FEB4C3AE4566
FireEye Gen:Heur.Mint.Zard.39
Sophos Mal/Generic-S
Ikarus Worm.Win32.Phorpiex
Google Detected
Avira TR/AD.Phorpiex.hesfh
MAX malware (ai score=86)
Antiy-AVL Trojan/Win32.GenKryptik
Kingsoft Win32.HeurC.KVMH017.a
Microsoft Trojan:Win32/Phorpiex.RB!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.ClipBanker.gen
GData Gen:Heur.Mint.Zard.39
Varist W32/S-c70f2e64!Eldorado
AhnLab-V3 Trojan/Win.Dlder.C5472688
BitDefenderTheta Gen:NN.ZexaCO.36808.auW@aSv79Qii
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Caynamer
Malwarebytes Trojan.Downloader
Panda Trj/GdSda.A
TrendMicro-HouseCall Mal_DLDER
Tencent Malware.Win32.Gencirc.140c0078
Yandex Trojan.GenKryptik!lKXkZXT+0Hk
dead_host 178.90.117.247:40500
dead_host 31.25.131.226:40500