popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ngrok.exe

Malicious Library UPX Malicious Packer ftp PE64 PE File OS Processor Check wget
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 29, 2024, 1:45 p.m. July 29, 2024, 1:48 p.m.
Size 28.2MB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 f02b8dabd9612d56140b7b435f70424b
SHA256 a90600d7ad852842934c03c5a8c752143c9ee11e6720f4114747f546ad53a3d1
CRC32 EE318927
ssdeep 393216:IN0uwoFGVN8x5ytoOO5mM2/1F/HXZjTN2VziJ+0Wg5tPW:W0uwoFsN8aS
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • ftp_command - ftp command
  • Malicious_Packer_Zero - Malicious Packer
  • IsPE64 - (no description)
  • wget_command - wget command
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
secure.globalsign.com
A 146.75.50.133
CNAME prod.globalsign.map.fastly.net
CNAME global.prd.cdn.globalsign.com
104.18.21.226
IP Address Status Action
146.75.50.133 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

section .symtab
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
wscript+0x2fbd @ 0x9c2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 1636564
registers.edi: 0
registers.eax: 39790080
registers.ebp: 1636592
registers.edx: 1
registers.ebx: 0
registers.esi: 4588576
registers.ecx: 1941845716
1 0 0
request GET http://secure.globalsign.com/cacert/codesigningrootr45.crt
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3064
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73b83000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /cacert/codesigningrootr45.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: secure.globalsign.com
socket: 952
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET /cacert/codesigningrootr45.crt HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: secure.globalsign.com
socket: 952
0 0
Bkav W32.Common.755DFD9E
Skyhigh Artemis
Cylance Unsafe
K7AntiVirus Unwanted-Program ( 005b5c2b1 )
K7GW Unwanted-Program ( 005b5c2b1 )
Symantec PUA.Gen.2
ESET-NOD32 a variant of WinGo/Ngrok.B potentially unsafe
McAfee Artemis!F02B8DABD961
Avast Win64:DangerousSig [Trj]
Kaspersky not-a-virus:HEUR:NetTool.Multi.Ngrok.a
Rising Trojan.MalCert!1.F53B (CLASSIC)
Emsisoft MalCert-S.RR (A)
F-Secure PrivacyRisk.SPR/Redcap.98fb12
DrWeb Trojan.Packed2.46718
McAfeeD ti!A90600D7AD85
Sophos Mal/BadCert-Gen
Ikarus PUA.Ngrok
Google Detected
Avira SPR/Redcap.98fb12
Antiy-AVL RiskWare[NetTool]/Multi.NGROK
Gridinsoft Trojan.Win64.CoinMiner.dd!c
ZoneAlarm not-a-virus:HEUR:NetTool.Multi.Ngrok.a
Varist W64/ABApplication.MGDP-7662
Malwarebytes Trojan.FakeSig
MaxSecure Trojan.Malware.234992274.susgen
Fortinet Adware/Ngrok
AVG Win64:DangerousSig [Trj]
Paloalto generic.ml