popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

956d73b7f041.exe#default15st

Client SW User Data Stealer Gen1 info stealer ftp Client Generic Malware UPX Malicious Library HTTP Internet API Http API PWS PE File OS Processor Check PE32 AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 8, 2024, 9:45 p.m. Oct. 8, 2024, 9:52 p.m.
Size 493.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a3ad404cc615fc48ddfc3ddba9896dfa
SHA256 29fe61db9ec14041a288d3eb9a90b4fa30cfbdbabe24a5fc5b8cba3560d6b855
CRC32 B2B89658
ssdeep 12288:VtVE8S9QVKlmOiq5S/OTnEio/Fa2yKr3XUvW4S:VfS9AgSenUacrkv
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
62.204.41.150 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 62.204.41.150:80 -> 192.168.56.103:49164 2400005 ET DROP Spamhaus DROP Listed Traffic Inbound group 6 Misc Attack
TCP 192.168.56.103:49164 -> 62.204.41.150:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
956d73b7f041+0x6ece @ 0x9d6ece
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 58 3c 01 d8 83 c0 18 8d 58 1c 53 8b 9d 4b 01
exception.symbol: 956d73b7f041+0x7ab08
exception.instruction: mov ebx, dword ptr [eax + 0x3c]
exception.module: 956d73b7f041.exe#default15st
exception.exception_code: 0xc0000005
exception.offset: 502536
exception.address: 0xa4ab08
registers.esp: 4062816
registers.edi: 4286960
registers.eax: 4
registers.ebp: 4062864
registers.edx: 2130566132
registers.ebx: 56
registers.esi: 2293760
registers.ecx: 742391808
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.150/
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://62.204.41.150/edd20096ecef326d.php
request GET http://62.204.41.150/
request POST http://62.204.41.150/edd20096ecef326d.php
request POST http://62.204.41.150/edd20096ecef326d.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a4a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c0000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x0004e200', u'virtual_address': u'0x0002d000', u'entropy': 7.99058719352079, u'name': u'.data', u'virtual_size': u'0x0004ef80'} entropy 7.99058719352 description A section with a high entropy has been found
entropy 0.634517766497 description Overall entropy of this PE file is high
description Client_SW_User_Data_Stealer rule Client_SW_User_Data_Stealer
description ftp clients info stealer rule infoStealer_ftpClients_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description PWS Memory rule Generic_PWS_Memory_Zero
description Communications over HTTP rule Network_HTTP
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Match Windows Inet API call rule Str_Win32_Internet_API
host 62.204.41.150
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 2494464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000003c
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $½ÏCù®óù®óù®ó–ØXá®ó–Ømô®ó–ØYÀ®óðÖpú®óy×òû®óðÖ`þ®óù®ò—®ó–Ø\ë®ó–Ønø®óRichù®óPEL(ågà  Î$ðià@&@8ª<À%à$à.textÌÎ à.rdataœÏàÐÒ@@.data¤#°ä¢@À.relocžEÀ%F†@B
base_address: 0x00400000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2124
process_handle: 0x0000003c
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $½ÏCù®óù®óù®ó–ØXá®ó–Ømô®ó–ØYÀ®óðÖpú®óy×òû®óðÖ`þ®óù®ò—®ó–Ø\ë®ó–Ønø®óRichù®óPEL(ågà  Î$ðià@&@8ª<À%à$à.textÌÎ à.rdataœÏàÐÒ@@.data¤#°ä¢@À.relocžEÀ%F†@B
base_address: 0x00400000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0
Process injection Process 840 called NtSetContextThread to modify thread in remote process 2124
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1506260
registers.edi: 0
registers.eax: 4286960
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000038
process_identifier: 2124
1 0 0
Process injection Process 840 resumed a thread in remote process 2124
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000038
suspend_count: 1
process_identifier: 2124
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2128
thread_handle: 0x00000038
process_identifier: 2124
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000003c
1 1 0

NtGetContextThread

 thread_handle: 0x00000038
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 2494464
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000003c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $½ÏCù®óù®óù®ó–ØXá®ó–Ømô®ó–ØYÀ®óðÖpú®óy×òû®óðÖ`þ®óù®ò—®ó–Ø\ë®ó–Ønø®óRichù®óPEL(ågà  Î$ðià@&@8ª<À%à$à.textÌÎ à.rdataœÏàÐÒ@@.data¤#°ä¢@À.relocžEÀ%F†@B
base_address: 0x00400000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0041e000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0042b000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0065c000
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2124
process_handle: 0x0000003c
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1506260
registers.edi: 0
registers.eax: 4286960
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000038
process_identifier: 2124
1 0 0

NtResumeThread

 thread_handle: 0x00000038
suspend_count: 1
process_identifier: 2124
1 0 0