popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

SQL.exe

Generic Malware Malicious Library UPX Malicious Packer ftp PE64 PE File OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 13, 2025, 3:18 p.m. April 13, 2025, 3:32 p.m.
Size 11.0MB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 ef0e5882c8bcad3643d51d16c2f5500c
SHA256 b869941a9c476585bbb8f48f7003d158c71e44038ceb2628cedb231493847775
CRC32 9526FB7E
ssdeep 196608:drUAnbsgUn5Qs3G9cnoY6VLBlv7pJIsVnhO:lLnIzn5Qs3GynoY6VLBlv7pJIW
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE64 - (no description)
  • ftp_command - ftp command
  • Malicious_Packer_Zero - Malicious Packer
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
c.pki.goog
CNAME pki-goog.l.google.com
A 142.250.76.3
142.250.76.131
ip-api.com
A 208.95.112.1
208.95.112.1
api.ipify.org
A 104.26.13.205
A 172.67.74.152
A 104.26.12.205
104.26.13.205
IP Address Status Action
142.250.76.3 Active Moloch
164.124.101.2 Active Moloch
172.67.74.152 Active Moloch
208.95.112.1 Active Moloch
45.227.252.199 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.101:49165 -> 172.67.74.152:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
TCP 192.168.56.101:49161 -> 45.227.252.199:7712 2061200 ET MALWARE Aurotun Stealer CnC Checkin A Network Trojan was detected
UDP 192.168.56.101:53004 -> 164.124.101.2:53 2054141 ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49169 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49165
172.67.74.152:443 		C=US, O=Google Trust Services, CN=WE1 CN=ipify.org bd:fd:0e:47:c4:8e:87:56:19:5e:86:99:5b:45:32:c3:13:aa:aa:f3

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name:
0 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name:
0 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name:
0 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

bind

 ip_address: 127.0.0.1
socket: 380
port: 0
1 0 0

listen

 socket: 380
backlog: 1
1 0 0

accept

 ip_address:
socket: 380
port: 0
1 396 0

bind

 ip_address: 127.0.0.1
socket: 432
port: 0
1 0 0

listen

 socket: 432
backlog: 1
1 0 0

accept

 ip_address:
socket: 432
port: 0
1 536 0
request GET http://c.pki.goog/r/gsr1.crl
request GET http://c.pki.goog/r/r4.crl
request GET http://ip-api.com/json/121.133.128.1
request GET https://api.ipify.org/
domain api.ipify.org
domain ip-api.com
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0
host 45.227.252.199
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x0000000000000000
function_name: wine_get_version
module: ntdll
module_address: 0x0000000076d30000
-1073741511 0
Lionic Trojan.Win32.Lumma.1u!c
Cynet Malicious (score: 99)
CAT-QuickHeal Trojan.Ghanarava.1744484000f5500c
Skyhigh BehavesLike.Win64.Rootkit.wh
ALYac Gen:Variant.Lazy.669905
Cylance Unsafe
VIPRE Gen:Variant.Lazy.669905
BitDefender Gen:Variant.Lazy.669905
K7GW Spyware ( 005c2c001 )
K7AntiVirus Spyware ( 005c2c001 )
Arcabit Trojan.Lazy.DA38D1
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/Spy.Agent.NJ
Avast Win64:MalwareX-gen [Spy]
Kaspersky Trojan-PSW.Win32.Lumma.jxp
Alibaba TrojanSpy:Win64/MalwareX.9adbd97c
MicroWorld-eScan Gen:Variant.Lazy.669905
Rising Spyware.Agent!8.C6 (TFE:5:l46WStEsZTT)
Emsisoft Gen:Variant.Lazy.669905 (B)
F-Secure Trojan.TR/Spy.Agent.kogty
McAfeeD ti!B869941A9C47
CTX exe.trojan.lazy
Sophos Mal/Generic-S
Webroot Win.Trojan.Gen
Google Detected
Avira TR/Spy.Agent.kogty
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.Lazy.669905
Varist W64/ABSpyware.WVGK-7850
AhnLab-V3 Trojan/Win.SpywareX-gen.R698117
McAfee Artemis!EF0E5882C8BC
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.4190110976
Ikarus Trojan.Win64.Spy
Panda Trj/Agent.RP
TrendMicro-HouseCall TROJ_GEN.R002H09DB25
Tencent Win32.Trojan-QQPass.QQRob.Gplw
huorong Ransom/Filecoder.ax
Fortinet W64/Agent.NJ!tr.spy
AVG Win64:MalwareX-gen [Spy]
alibabacloud Trojan[spy]:Win/Lazy.Gen