popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sya.exe

NSIS Malicious Library PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 28, 2021, 3:55 p.m. Sept. 28, 2021, 4:08 p.m.
Size 263.4KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 13e41e7ab512d2d8b1818d15a24f262c
SHA256 e050e0df13b22fc9810a06e1c405d8ead485bbe951aba4f5f5b9003f8f7a223f
CRC32 CA96613E
ssdeep 6144:F8LxBsf6miyz9gkU+15v/mD5rkFosTvQox/1qgNRRrkP+mSBs+wm:/f6miYgsh/mD5rDSXbNRRw+Om
Yara
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1660
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73542000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nss7E13.tmp\nutfi.dll
file C:\Users\test22\AppData\Local\Temp\nss7E13.tmp\nutfi.dll
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000200
1 0 0
Process injection Process 1660 created a remote thread in non-child process 2848
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 0
process_identifier: 2848
function_address: 0x001f5ce2
flags: 4
stack_size: 0
parameter: 0x00000000
process_handle: 0x00000200
1 540 0
Process injection Process 1660 manipulating memory of non-child process 2848
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2848
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000200
1 0 0
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Noon.l!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
McAfee RDN/Generic.dx
Cylance Unsafe
Arcabit Trojan.NSISX.Spy.Gen.2
Cyren W32/Injector.ALQ.gen!Eldorado
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQED
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.NSISX.Spy.Gen.2
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
Avast NSIS:InjectorX-gen [Trj]
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.Dropper.dc
FireEye Generic.mg.13e41e7ab512d2d8
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
MAX malware (ai score=83)
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft Trojan:Win32/Woreflint.A!cl
GData Win32.Backdoor.AMRat.NJQSHN
Tencent Nsis.Trojan.Nsisx.Dzke
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.EQDZ!tr
AVG NSIS:InjectorX-gen [Trj]