popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

blaq.exe

Generic Malware Malicious Library UPX PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Feb. 19, 2025, 11:23 a.m. Feb. 19, 2025, 11:42 a.m.
Size 282.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 7176873d83d97247c18a9037ffa5964f
SHA256 7c421b3dfe5e73aaffae7fa858d1a1628d6dc09c7eccbcfbb42f027e20c0ac70
CRC32 27256D81
ssdeep 6144:O3gKq2qxgsNelqH6Dgt4+DM5aMkF2ZZKWw+yImInZ5k7zz:agKqV3Nk+ogt4+DM5aMkF2PKPEZy/
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
www.meacci.xyz
A 76.223.54.146
A 13.248.169.48
www.xiuqicloud.website
A 106.54.8.254
www.sfrouter.express
A 199.59.243.228
www.trosky.lol
A 104.21.54.232
A 172.67.143.33
www.zkplant.xyz
A 13.248.169.48
A 76.223.54.146
www.adventurerepair24.live
A 172.67.204.50
A 104.21.93.32
www.sqlite.org
A 45.33.6.223
IP Address Status Action
106.54.8.254 Active Moloch
13.248.169.48 Active Moloch
164.124.101.2 Active Moloch
172.67.143.33 Active Moloch
172.67.204.50 Active Moloch
199.59.243.228 Active Moloch
45.33.6.223 Active Moloch
76.223.54.146 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

request POST http://www.zkplant.xyz/t2z5/
request GET http://www.zkplant.xyz/t2z5/?wHwUOH=8VSe6D3+FdM96toYTkKYm4RfQN80B92Wswse+lRCZ5nd7JghEm3UVr0Q9u8PqQyGlh2BEZGJRS/hf5/2khKxbH6/CmdYSP+iYipsDo45rax8LzXX361i2DUedI4l6JslNrlk314=&li8B=Uh_aOYB7iOocT0e
request GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
request POST http://www.adventurerepair24.live/gc4d/
request GET http://www.adventurerepair24.live/gc4d/?wHwUOH=LebFdeUSCMRA/h5sT7+2M2f/vQ1SufiCCUGQxkTYOySh8g+yOOCA1ht778Ujr70KVg4fy0FUcNIIjE4P2FpJife2AASvW/TiUzxRyQ9XEF5r5nlv8N9vw4E60m8WiXkOYycYg/o=&li8B=Uh_aOYB7iOocT0e
request POST http://www.meacci.xyz/ieqn/
request GET http://www.meacci.xyz/ieqn/?wHwUOH=TXRwMNvNe7nWWxt2VYpYoe82JcF/DsRex1DbWUgtb2d4F8KnEpYV4uyghREjRYGlO9HLzYmvfgx+GjFyjye3bAwXsHcICLs5dZyytw3BsbuHZoaHGoXRgZC8N0lOdICFON5OFP4=&li8B=Uh_aOYB7iOocT0e
request POST http://www.sfrouter.express/f0c8/
request GET http://www.sfrouter.express/f0c8/?wHwUOH=AHWHpIA83/7LQm5yWEptZovqcpfzyuCrVryDOXq41boPuGcZhCFYx0rfPVc+QU4vzPoFex3ntizgmAr9Oi8RON6E+Z9iOl73gIFM5BR9EAZ97ZYdmY/eiK7meSUUDtSRRtG1C5s=&li8B=Uh_aOYB7iOocT0e
request POST http://www.trosky.lol/o88r/
request GET http://www.trosky.lol/o88r/?wHwUOH=ziUBiNnCPTx0D233h1ca1hydMmiXXNXHNMEY4JnQ/dp2McfnObELxA6oJBnFDOsWb/bM3s4W56oDTG7CCmWbz1/lpBHwSztieMVQct0KvuNR8Sztn05hRZ1RNhlgsM5Legpcclw=&li8B=Uh_aOYB7iOocT0e
request POST http://www.xiuqicloud.website/g63r/
request POST http://www.zkplant.xyz/t2z5/
request POST http://www.adventurerepair24.live/gc4d/
request POST http://www.meacci.xyz/ieqn/
request POST http://www.sfrouter.express/f0c8/
request POST http://www.trosky.lol/o88r/
request POST http://www.xiuqicloud.website/g63r/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 278528
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001c3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 12288
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1740
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1740
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2556
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02070000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
section {u'size_of_data': u'0x00045600', u'virtual_address': u'0x00001000', u'entropy': 7.996319502854979, u'name': u'.text', u'virtual_size': u'0x000455d4'} entropy 7.99631950285 description A section with a high entropy has been found
entropy 1.0 description Overall entropy of this PE file is high
file C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file C:\Users\test22\AppData\Local\AVG\Browser\User Data
Process injection Process 1740 manipulating memory of non-child process 1888
Time & API Arguments Status Return Repeated

NtMapViewOfSection

 section_handle: 0x0000004c
process_identifier: 1888
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x047a0000
allocation_type: 0 ()
section_offset: 0
view_size: 20033536
process_handle: 0x00000050
1 0 0
Process injection Process 1740 called NtSetContextThread to modify thread in remote process 2556
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2620380
registers.edi: 0
registers.eax: 565088
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000064
process_identifier: 2556
1 0 0