popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

frownked2.1.exe

Generic Malware Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 13, 2024, 9:22 a.m. Sept. 13, 2024, 9:29 a.m.
Size 1.5MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ab7caff90a8347576988a104a322a916
SHA256 b14dba44c08182c9c21b34e90409943400645c7d88a6b1388bddc64464f26a73
CRC32 210D02D7
ssdeep 24576:64lavt0LkLL9IMixoEgea4NlRCGiIpjnUwqVOYKPq9MmCS:Nkwkn9IMHea4vRCkpDsVOhaPCS
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request POST http://www.trapkitten.website/vzgx/
request GET http://www.trapkitten.website/vzgx/?Jht=fAt7pIVPpGXAvBzfbofxH6KLA/SKUI8tR0TDZSipM2iZbUNyxYUxThLLESsgo4hlkDzs7nheSjoc1Sj/m3Gn3caq3+Ik36hEeLqFX7XS2ZCHg+ZK2jYSb1UZmcKhE1PtLCklngg=&fl=WtGo
request GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zip
request GET http://www.sqlite.org/2022/sqlite-dll-win32-x86-3370000.zip
request GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
request GET http://www.qwefs.org/toq1/?Jht=uFBHOFjbtFvxqkcdxVd4tJdULw7QnIRXIDe+8RHTfxNdoahKRW8U0UCbhdOPwbKTgOK/uYLPOnJNTHSrlEGfXzyIhJOeIq51xyFm40Ibheoc9HKPcTfbc4gFNH+mWXon7XUk+C8=&fl=WtGo
request POST http://www.dfmagazine.shop/wc8m/
request GET http://www.dfmagazine.shop/wc8m/?Jht=LNw/HBPP4tr5bvxRqEHHjPwHzHq/oSZ3YB7NlE9rWxPCxu7fGi7WVymEaD0ez69xv6ZMfJiRCRJpj/kbYTwl2Jp3vmj/K6IWSBhtVJ2AAHCG128jD1oExGyyLZzj9OMbCV/AQw0=&fl=WtGo
request POST http://www.disn-china.buzz/za6x/
request GET http://www.disn-china.buzz/za6x/?Jht=EgAkyEJNK52+6mt3E5/kJbXdEzdYowDWwvgRo5oIQtO9ZSuXgOHTA+BJ7wLJ2gaYF8C47CtaBGKeFv/a+P8O0H1n59GM1zMsYaWK1AmiqPY5ZahcO8GJtNWa29lHrhEg3yNDlxM=&fl=WtGo
request GET http://www.kevin-torkelson.info/gekb/?Jht=5z2j4JvjBCmnxDGmXhsNUCzyBEeNU+efumCOi9/ZiiqSem4bSPmiC7+SQGIeXbOACmsQlkv/nReqN9BPj1atBFP4iljpjZG37OmieLn9iAg49nsR4NFlAX0ACoZEb3mOX8X6rtg=&fl=WtGo
request POST http://www.mandemj.top/to69/
request GET http://www.mandemj.top/to69/?Jht=jnxbIh9toY3Lk087C6fRSAIIDhtmtOIIZy5Q1YpSMvmzprTTtz9chlCe8JLifgChZqJUy3cTTTxPfarkAUDrW4VnhfiXjSai62R1N2pl8mrhOBQxiL5e+vemTWR4j4PbfMHKe5c=&fl=WtGo
request POST http://www.pmjjewels.online/risb/
request GET http://www.pmjjewels.online/risb/?Jht=eaaelBCTiJBUEmuLZOnRpNwStkEgMLy/XK1YEbKYGwCJmco23DW+jwYfw/wGti4g6zAdqT8YjPqv8SPTYnHAaF9kOPWwjHlUiv4xVtfBSx2ls1nJs2JEa5QE0YkRP5wLYmM3P0s=&fl=WtGo
request POST http://www.trapkitten.website/vzgx/
request POST http://www.dfmagazine.shop/wc8m/
request POST http://www.disn-china.buzz/za6x/
request POST http://www.mandemj.top/to69/
request POST http://www.pmjjewels.online/risb/
domain www.mandemj.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01265000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00320000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2624
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description cmdl32.exe tried to sleep 148 seconds, actually delayed analysis time by 148 seconds
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
section {u'size_of_data': u'0x000b8800', u'virtual_address': u'0x000c4000', u'entropy': 6.974208947233943, u'name': u'.rsrc', u'virtual_size': u'0x000b8774'} entropy 6.97420894723 description A section with a high entropy has been found
entropy 0.47859922179 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x000001d0
process_identifier: 2228
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\frownked2.1.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000001cc
1 1 0
file C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file C:\Users\test22\AppData\Local\AVG\Browser\User Data
Process injection Process 2228 manipulating memory of non-child process 1888
Time & API Arguments Status Return Repeated

NtMapViewOfSection

 section_handle: 0x0000004c
process_identifier: 1888
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x03b50000
allocation_type: 0 ()
section_offset: 0
view_size: 9318400
process_handle: 0x00000050
1 0 0
Process injection Process 2080 called NtSetContextThread to modify thread in remote process 2228
Process injection Process 2228 called NtSetContextThread to modify thread in remote process 2624
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1178328
registers.edi: 0
registers.eax: 4199568
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000001d0
process_identifier: 2228
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1572664
registers.edi: 0
registers.eax: 564016
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000064
process_identifier: 2624
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Formbook.4!c
Elastic malicious (high confidence)
CAT-QuickHeal TrojanPWS.AutoIt.Zbot.S
Skyhigh BehavesLike.Win32.Generic.th
Cylance Unsafe
Sangfor Trojan.Win32.Injector.V9c1
K7AntiVirus Trojan ( 700000111 )
K7GW Trojan ( 700000111 )
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Win32/Injector.Autoit.GJF
APEX Malicious
Avast FileRepMalware [Misc]
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Trojan:Win32/Injector.34bf1373
McAfeeD ti!B14DBA44C081
Trapmine suspicious.low.ml.score
CTX exe.trojan.autoit
Sophos Mal/Generic-S
FireEye Generic.mg.ab7caff90a834757
Avira TR/AVI.Agent.lqnit
Kingsoft malware.kb.a.885
Gridinsoft Ransom.Win32.Wacatac.sa
Microsoft Trojan:Win32/Wacatac.B!ml
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Win32.Trojan-Stealer.FormBook.6GHKRQ
McAfee Artemis!AB7CAFF90A83
DeepInstinct MALICIOUS
VBA32 Trojan-Downloader.Autoit.gen
Malwarebytes Generic.Malware/Suspicious
Panda Trj/Chgt.AD
MaxSecure Trojan.Malware.300983.susgen
Fortinet AutoIt/Injector.GIZ!tr
AVG FileRepMalware [Misc]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_60% (D)