popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cxl.exe

NSIS Malicious Library PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Oct. 5, 2021, 5:46 p.m. Oct. 5, 2021, 5:49 p.m.
Size 440.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 f51da2ac8cdfc1ff41921f0fceee4514
SHA256 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175
CRC32 1F154596
ssdeep 6144:A8LxB6aF6vedt/reTPFRpgSdtk+rPYQUJeOiAzsSmIAIjn8PORYHlNTeYr:yW6wRru/pgnwPAJ5FwSiPVFr
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49167 -> 183.181.96.123:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 52.118.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 52.118.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 183.181.96.123:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 194.9.94.86:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49172 -> 52.118.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 183.181.96.123:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 194.9.94.86:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 194.9.94.86:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.67.131.184:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.67.131.184:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.67.131.184:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49171 -> 172.67.131.184:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 172.67.131.184:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 172.67.131.184:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 172.67.131.184:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 172.67.131.184:80 2031088 ET HUNTING Request to .XYZ Domain with Minimal Headers Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 34.102.136.180:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 34.102.136.180:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 178.32.114.31:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 178.32.114.31:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49173 -> 178.32.114.31:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 68.65.123.42:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 68.65.123.42:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49170 -> 68.65.123.42:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.number-is-04.net/noha/?-Z=533EpRLMvdGd3LnMjF6P5H4aqTXvZDN7WJAPd7m9vKZsB2Z3JtcedJpU+7lZs6mIB3YhcvB0&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.jillianvansice.com/noha/?-Z=bTEtFpzNECc+Zd5QB8tCW0UsQG/fhyCLGPTCJuWDJdj6hcfbAUUaBGVN8lsGkgtE30da91+N&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.pixlrz.com/noha/?-Z=pbWa/Zt+jrM37Qkna2LUMphJ1OY8Arc0yZpnLLVq+3NFtdjGEGVpqkOGzVDKwJoEZyTRHeQT&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.onlyforu14.rest/noha/?-Z=P/l8qiYiqt8kvrDBUGtG7DlBr1gw3QxKROVjrB5CU3iUOyLfx1uglQZs8tc2Ej0fs967LZqC&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.unarecord.com/noha/?-Z=YvZkpRzIvhyEmlzzRS448ue/J8Mk5cJYV8d0kFvUSx81G2wer5LDh4vokaiGyVzfr6bGhK1c&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.bois-applique.com/noha/?-Z=bUhQERLpyNF3S/4WPZx/2yInVQcXiLPDhxdoMCXhoM+5+115cTKOZoaz7w3+FhRX4eW13PBz&rZ=X48HRfqP
suspicious_features GET method with no useragent header suspicious_request GET http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&9r4P-=J4k0
request GET http://www.number-is-04.net/noha/?-Z=533EpRLMvdGd3LnMjF6P5H4aqTXvZDN7WJAPd7m9vKZsB2Z3JtcedJpU+7lZs6mIB3YhcvB0&rZ=X48HRfqP
request GET http://www.jillianvansice.com/noha/?-Z=bTEtFpzNECc+Zd5QB8tCW0UsQG/fhyCLGPTCJuWDJdj6hcfbAUUaBGVN8lsGkgtE30da91+N&rZ=X48HRfqP
request GET http://www.pixlrz.com/noha/?-Z=pbWa/Zt+jrM37Qkna2LUMphJ1OY8Arc0yZpnLLVq+3NFtdjGEGVpqkOGzVDKwJoEZyTRHeQT&rZ=X48HRfqP
request GET http://www.onlyforu14.rest/noha/?-Z=P/l8qiYiqt8kvrDBUGtG7DlBr1gw3QxKROVjrB5CU3iUOyLfx1uglQZs8tc2Ej0fs967LZqC&rZ=X48HRfqP
request GET http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&rZ=X48HRfqP
request GET http://www.unarecord.com/noha/?-Z=YvZkpRzIvhyEmlzzRS448ue/J8Mk5cJYV8d0kFvUSx81G2wer5LDh4vokaiGyVzfr6bGhK1c&rZ=X48HRfqP
request GET http://www.bois-applique.com/noha/?-Z=bUhQERLpyNF3S/4WPZx/2yInVQcXiLPDhxdoMCXhoM+5+115cTKOZoaz7w3+FhRX4eW13PBz&rZ=X48HRfqP
request GET http://www.trailer-racks.xyz/noha/?-Z=Ou7YUPBTFqGSK3DvNmtMJgItTS2fZVPHMamwR7WZ66jVlUXAfwWzjD3kZpIOV1hCTXPt1LBU&9r4P-=J4k0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73542000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00930000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nst7CFA.tmp\iivedwr.dll
file C:\Users\test22\AppData\Local\Temp\nst7CFA.tmp\iivedwr.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0
Process injection Process 672 called NtSetContextThread to modify thread in remote process 2864
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314256
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000022c
process_identifier: 2864
1 0 0
Lionic Trojan.Win32.Malicious.4!c
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.f51da2ac8cdfc1ff
McAfee Artemis!F51DA2AC8CDF
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Arcabit Zum.Androm.1
Symantec Packed.Generic.606
ESET-NOD32 a variant of Win32/Injector.EQFA
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:Trojan-Spy.Win32.Noon.gen
BitDefender Trojan.NSISX.Spy.Gen.2
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Dropper.gh
Sophos Mal/Generic-S
Microsoft Trojan:Win32/Lokibot.SISN!MTB
ZoneAlarm UDS:DangerousObject.Multi.Generic
GData Zum.Androm.1
Cynet Malicious (score: 100)
MAX malware (ai score=89)
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.EQDZ!tr
AVG FileRepMalware
Avast FileRepMalware
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 972
thread_handle: 0x0000022c
process_identifier: 2864
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\cxl.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\cxl.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\cxl.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000230
1 1 0

NtGetContextThread

 thread_handle: 0x0000022c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 167936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000230
1 0 0

NtSetContextThread

 registers.eip: 2007957956
registers.esp: 1638384
registers.edi: 0
registers.eax: 4314256
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000022c
process_identifier: 2864
1 0 0