popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Mfile.exe

NSIS Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 29, 2021, 9:03 a.m. Oct. 29, 2021, 9:10 a.m.
Size 281.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 674fb73b1fd08e6778e47debcb1c3a6c
SHA256 9a6e0dd1aa4fe9b84fd6addd707202aacf0e296c30ab3e49fa2e1aed6dba4ad3
CRC32 C4F12267
ssdeep 6144:wBlL/ckYPiEyVpGscQ9bOVDuAUn6RyX/QCRx6Z+p2t:CeLhyVpWQ85UnMyoiUZ+a
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49203 -> 130.211.40.170:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 130.211.40.170:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49203 -> 130.211.40.170:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 198.54.117.212:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 198.54.117.212:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 198.54.117.212:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 64.68.200.44:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 64.68.200.44:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 64.68.200.44:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.fluttermixtures.com/btn2/?Bh=RbtSph0VL15EBLRPHmyYLGfYbVcQX3SOUU6PUyI4zaQw+Nl5dejQmqICrMIftnxcgscMpiXv&SzulsJ=9rV872vP_0fDj
suspicious_features GET method with no useragent header suspicious_request GET http://www.greatdesigns.net/btn2/?Bh=ahXCd/GvrCToH6QNgUAz2eOIJc+aa9K5tSOdXWaZwg3Pe+PdCCKDxsMmVKTkbvQ4mmwbxnMF&SzulsJ=9rV872vP_0fDj
suspicious_features GET method with no useragent header suspicious_request GET http://www.entyrcrypto.com/btn2/?Bh=ACPkNsXTo6dilfq45Lra3uW/+TPD4AUv4Am4UzDI5UY8j0ej46TPxke+wVsBoD1KjZrSje0k&SzulsJ=9rV872vP_0fDj
request GET http://www.fluttermixtures.com/btn2/?Bh=RbtSph0VL15EBLRPHmyYLGfYbVcQX3SOUU6PUyI4zaQw+Nl5dejQmqICrMIftnxcgscMpiXv&SzulsJ=9rV872vP_0fDj
request GET http://www.greatdesigns.net/btn2/?Bh=ahXCd/GvrCToH6QNgUAz2eOIJc+aa9K5tSOdXWaZwg3Pe+PdCCKDxsMmVKTkbvQ4mmwbxnMF&SzulsJ=9rV872vP_0fDj
request GET http://www.entyrcrypto.com/btn2/?Bh=ACPkNsXTo6dilfq45Lra3uW/+TPD4AUv4Am4UzDI5UY8j0ej46TPxke+wVsBoD1KjZrSje0k&SzulsJ=9rV872vP_0fDj
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728d2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73797000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00850000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsz657A.tmp\bswoilovvys.dll
file C:\Users\test22\AppData\Local\Temp\nsz657A.tmp\bswoilovvys.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 2852
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2852
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.674fb73b1fd08e67
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cybereason malicious.b1fd08
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Trojan.Win32.Zapchast.gen
BitDefender Trojan.NSISX.Spy.Gen.2
Sophos Generic ML PUA (PUA)
McAfee-GW-Edition BehavesLike.Win32.Puper.dc
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
SentinelOne Static AI - Malicious PE
MAX malware (ai score=85)
Microsoft Trojan:Win32/Azorult!ml
Arcabit Trojan.NSISX.Spy.Gen.2
GData Zum.Androm.1
Cynet Malicious (score: 100)
Fortinet W32/Injector.EQKA!tr
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2228
thread_handle: 0x00000230
process_identifier: 2852
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\Mfile.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\Mfile.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\Mfile.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000234
1 1 0

NtGetContextThread

 thread_handle: 0x00000230
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000234
1 0 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321632
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000230
process_identifier: 2852
1 0 0