popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mxo.exe

NSIS Malicious Library PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 5, 2021, 5:45 p.m. Oct. 5, 2021, 6:03 p.m.
Size 259.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 7e17686d4ba718b453ca93634c1c91ee
SHA256 7a8cd0fb35936203195d49af3fec0140f45e8b8fb75df0203db6b914d4b8d192
CRC32 A46130E7
ssdeep 6144:F8LxBs+FJekr6Mk5HYZRi4Ax/TH2CUAXH6satHP:/+FJ7Gj5URi4AJWZmatHP
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49223 -> 209.17.116.163:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 209.17.116.163:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 209.17.116.163:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 168.76.29.184:80 -> 192.168.56.101:49225 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.101:49221 -> 72.167.241.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 72.167.241.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 72.167.241.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 168.76.29.184:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 168.76.29.184:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 168.76.29.184:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 182.50.132.242:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 166.88.19.181:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 182.50.132.242:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 166.88.19.181:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 182.50.132.242:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 166.88.19.181:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 203.170.80.250:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 203.170.80.250:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 203.170.80.250:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 198.54.117.212:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 198.54.117.212:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 198.54.117.212:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 184.168.131.241:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 184.168.131.241:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 184.168.131.241:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 2.57.90.16:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 2.57.90.16:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 2.57.90.16:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 74.208.236.228:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 74.208.236.228:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 74.208.236.228:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.colonelabrams.com/pusp/?xVJtG4Th=GpOemIVbAEkRtcZWG0w6ZY9t/Kj0kHMZJUri0oAYzPXxYIlKghPFhBLyPyQ6wS25kQBXaNQK&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.georgialogisticscontractors.com/pusp/?xVJtG4Th=uXFBoWTbwpRe3QPmrmmdA8fVM1sPFIdCr4IpmJZcwBKKd8ZRxWIMBxwaKrU120JbOkE11jfq&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.fanaticscardgroup.com/pusp/?xVJtG4Th=LcRe9pjN5Gb8pjGdHIWKy0hSBOjCts21Z8mM0bPkxuRl55vVFJrqur5aeHJ3ehnhmvvyB+PF&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.fieldsauction.online/pusp/?xVJtG4Th=VrWe0xVr9ux9Mcv5Ey2q6vLJLLqsoVD/pcwJdQ9af4hJVfahtpaWhvXjPrPh/9jB4zO7QS6q&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.ez8-pay.com/pusp/?xVJtG4Th=WjGeI7p1H4+/S9Zuvg4I2DZNA92GuQJFuoH+crR+gUAo1tApr80Jm27CU4T9SRDjyVSBKp3E&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.morgsanusa.com/pusp/?xVJtG4Th=/Fjax9oi/YhlDG4ZDyfPMUGG3veF+C45tP1S8dUcdfoMjlb2IAI5B23eH5djDsayMc3auOGa&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.nm-ent.com/pusp/?xVJtG4Th=QKlvSsq1g3ywZ5RJgqHKfBX77rwF+3OkPjfWtJrcAgJEUgRrzskrjCLYXcfubbSsfkZBuGOB&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.geemove.com/pusp/?xVJtG4Th=2U8gML9VR2lXg8r2cxwKt3kTtYK9n+QtiPzqfiX0r0tg/nEfsGYGs5OQxuADyIoex9ZgHdg6&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.advancedautoair.repair/pusp/?xVJtG4Th=nmJFn5gWHgR85O5qeMhC8SY2AOi9nxjXr1zOp9/mLaHLfpEZyMhYyybAfbJv5rCssjX9d6Xn&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.dhgjjtq.com/pusp/?xVJtG4Th=F7NxiRsX9aeJ/xS6ytSC95ekg6G+Iab4R7P/P6ebpmQyNfgbdryclrgzZKUl+RJmXhHCbEcs&1bw=L6Adp0uXjfuLdDA0
suspicious_features GET method with no useragent header suspicious_request GET http://www.usfiltros.com/pusp/?xVJtG4Th=8j5ZDxP5Kjr1GqC+NJhJWhBuUGifdIvct6dCH9aw24IiMW6kEE6uvcqT9EmS++Kc3UzZ5CjP&1bw=L6Adp0uXjfuLdDA0
request POST http://www.colonelabrams.com/pusp/
request GET http://www.colonelabrams.com/pusp/?xVJtG4Th=GpOemIVbAEkRtcZWG0w6ZY9t/Kj0kHMZJUri0oAYzPXxYIlKghPFhBLyPyQ6wS25kQBXaNQK&1bw=L6Adp0uXjfuLdDA0
request POST http://www.georgialogisticscontractors.com/pusp/
request GET http://www.georgialogisticscontractors.com/pusp/?xVJtG4Th=uXFBoWTbwpRe3QPmrmmdA8fVM1sPFIdCr4IpmJZcwBKKd8ZRxWIMBxwaKrU120JbOkE11jfq&1bw=L6Adp0uXjfuLdDA0
request POST http://www.fanaticscardgroup.com/pusp/
request GET http://www.fanaticscardgroup.com/pusp/?xVJtG4Th=LcRe9pjN5Gb8pjGdHIWKy0hSBOjCts21Z8mM0bPkxuRl55vVFJrqur5aeHJ3ehnhmvvyB+PF&1bw=L6Adp0uXjfuLdDA0
request POST http://www.fieldsauction.online/pusp/
request GET http://www.fieldsauction.online/pusp/?xVJtG4Th=VrWe0xVr9ux9Mcv5Ey2q6vLJLLqsoVD/pcwJdQ9af4hJVfahtpaWhvXjPrPh/9jB4zO7QS6q&1bw=L6Adp0uXjfuLdDA0
request POST http://www.ez8-pay.com/pusp/
request GET http://www.ez8-pay.com/pusp/?xVJtG4Th=WjGeI7p1H4+/S9Zuvg4I2DZNA92GuQJFuoH+crR+gUAo1tApr80Jm27CU4T9SRDjyVSBKp3E&1bw=L6Adp0uXjfuLdDA0
request POST http://www.morgsanusa.com/pusp/
request GET http://www.morgsanusa.com/pusp/?xVJtG4Th=/Fjax9oi/YhlDG4ZDyfPMUGG3veF+C45tP1S8dUcdfoMjlb2IAI5B23eH5djDsayMc3auOGa&1bw=L6Adp0uXjfuLdDA0
request POST http://www.nm-ent.com/pusp/
request GET http://www.nm-ent.com/pusp/?xVJtG4Th=QKlvSsq1g3ywZ5RJgqHKfBX77rwF+3OkPjfWtJrcAgJEUgRrzskrjCLYXcfubbSsfkZBuGOB&1bw=L6Adp0uXjfuLdDA0
request POST http://www.geemove.com/pusp/
request GET http://www.geemove.com/pusp/?xVJtG4Th=2U8gML9VR2lXg8r2cxwKt3kTtYK9n+QtiPzqfiX0r0tg/nEfsGYGs5OQxuADyIoex9ZgHdg6&1bw=L6Adp0uXjfuLdDA0
request POST http://www.advancedautoair.repair/pusp/
request GET http://www.advancedautoair.repair/pusp/?xVJtG4Th=nmJFn5gWHgR85O5qeMhC8SY2AOi9nxjXr1zOp9/mLaHLfpEZyMhYyybAfbJv5rCssjX9d6Xn&1bw=L6Adp0uXjfuLdDA0
request POST http://www.dhgjjtq.com/pusp/
request GET http://www.dhgjjtq.com/pusp/?xVJtG4Th=F7NxiRsX9aeJ/xS6ytSC95ekg6G+Iab4R7P/P6ebpmQyNfgbdryclrgzZKUl+RJmXhHCbEcs&1bw=L6Adp0uXjfuLdDA0
request POST http://www.usfiltros.com/pusp/
request GET http://www.usfiltros.com/pusp/?xVJtG4Th=8j5ZDxP5Kjr1GqC+NJhJWhBuUGifdIvct6dCH9aw24IiMW6kEE6uvcqT9EmS++Kc3UzZ5CjP&1bw=L6Adp0uXjfuLdDA0
request POST http://www.colonelabrams.com/pusp/
request POST http://www.georgialogisticscontractors.com/pusp/
request POST http://www.fanaticscardgroup.com/pusp/
request POST http://www.fieldsauction.online/pusp/
request POST http://www.ez8-pay.com/pusp/
request POST http://www.morgsanusa.com/pusp/
request POST http://www.nm-ent.com/pusp/
request POST http://www.geemove.com/pusp/
request POST http://www.advancedautoair.repair/pusp/
request POST http://www.dhgjjtq.com/pusp/
request POST http://www.usfiltros.com/pusp/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2240
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsn6432.tmp\sujtihuutte.dll
file C:\Users\test22\AppData\Local\Temp\nsn6432.tmp\sujtihuutte.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2240
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0
Process injection Process 1016 called NtSetContextThread to modify thread in remote process 2240
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 2240
1 0 0
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Malicious.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Zum.Androm.1
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cybereason malicious.d4ba71
Arcabit Zum.Androm.1
BitDefenderTheta Gen:NN.ZedlaF.34170.bu4@aO2hfrmi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.EQFJ
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Zum.Androm.1
Avast FileRepMalware
Sophos Mal/Generic-S
McAfee-GW-Edition BehavesLike.Win32.VTFlooder.dc
FireEye Generic.mg.7e17686d4ba718b4
Emsisoft Zum.Androm.1 (B)
SentinelOne Static AI - Malicious PE
Avira TR/Crypt.ZPACK.Gen
MAX malware (ai score=85)
Microsoft Trojan:Script/Phonzy.B!ml
GData Zum.Androm.1
Cynet Malicious (score: 100)
McAfee Artemis!7E17686D4BA7
TrendMicro-HouseCall TROJ_GEN.R002H0DJ421
AVG FileRepMalware
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2244
thread_handle: 0x00000210
process_identifier: 2240
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\mxo.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\mxo.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\mxo.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000214
1 1 0

NtGetContextThread

 thread_handle: 0x00000210
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2240
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000214
1 0 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314288
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000210
process_identifier: 2240
1 0 0