popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

maxi.exe

NSIS Malicious Library UPX PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 29, 2021, 9:04 a.m. Oct. 29, 2021, 9:12 a.m.
Size 282.6KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 1bcd242e21181da424e62eba71f13e1d
SHA256 8a13ce3da212f3557c8d3f43a375fa6e030b400c2da2ca9701bed88f839863fc
CRC32 0A259CEA
ssdeep 6144:wBlL/cMN5CcwzeG1a9HswxO3GsWif3qFKdzIKLXTQhx:CeMN56emEHeGsd/qFJKPC
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • NSIS_Installer - Null Soft Installer

Name Response Post-Analysis Lookup
www.4pxshop.com
A 35.163.64.160
CNAME 4pxshop.com
35.163.64.160
www.klhcn.com
A 154.26.211.192
CNAME klhcn.com
154.26.211.192
www.bonitacandle.com
www.skinpromelaka.com
A 172.217.31.243
CNAME ghs.googlehosted.com
142.250.196.115
IP Address Status Action
154.26.211.192 Active Moloch
164.124.101.2 Active Moloch
172.217.31.243 Active Moloch
35.163.64.160 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 172.217.31.243:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 172.217.31.243:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 172.217.31.243:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 35.163.64.160:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 35.163.64.160:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 35.163.64.160:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 154.26.211.192:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 154.26.211.192:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 154.26.211.192:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
suspicious_features GET method with no useragent header suspicious_request GET http://www.4pxshop.com/dyh6/?tXU=ntm2ZTI4g5cQhbWRMk1O8xwmxYBvjw0fH58qVVLRtQQKF9nwB6i3bkwWoo+tGLEMnprQxBoF&UlSp=GVgT1hY8x6yXQt
suspicious_features GET method with no useragent header suspicious_request GET http://www.skinpromelaka.com/dyh6/?tXU=r1WEwJI6U+VJeP6bM+vVAjaf5cE+e2ck5sKejeK8Jz1UX1ZVwLVUK5qASeGYHxK/W/J+g9Ox&UlSp=GVgT1hY8x6yXQt
suspicious_features GET method with no useragent header suspicious_request GET http://www.klhcn.com/dyh6/?tXU=QJfkTbwg0uEmySK3KrbdDchdupippK/2Is82vyMjuQlTN9/UWGf/9z/norFUEOTmO+iBC3Fh&UlSp=GVgT1hY8x6yXQt
request GET http://www.4pxshop.com/dyh6/?tXU=ntm2ZTI4g5cQhbWRMk1O8xwmxYBvjw0fH58qVVLRtQQKF9nwB6i3bkwWoo+tGLEMnprQxBoF&UlSp=GVgT1hY8x6yXQt
request GET http://www.skinpromelaka.com/dyh6/?tXU=r1WEwJI6U+VJeP6bM+vVAjaf5cE+e2ck5sKejeK8Jz1UX1ZVwLVUK5qASeGYHxK/W/J+g9Ox&UlSp=GVgT1hY8x6yXQt
request GET http://www.klhcn.com/dyh6/?tXU=QJfkTbwg0uEmySK3KrbdDchdupippK/2Is82vyMjuQlTN9/UWGf/9z/norFUEOTmO+iBC3Fh&UlSp=GVgT1hY8x6yXQt
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2336
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e87000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2512
region_size: 3158016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\nsl924.tmp\rucwc.dll
file C:\Users\test22\AppData\Local\Temp\nsl924.tmp\rucwc.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2512
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0
Process injection Process 2336 called NtSetContextThread to modify thread in remote process 2512
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321456
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2512
1 0 0
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.NSISX.Spy.Gen.2
FireEye Generic.mg.1bcd242e21181da4
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Arcabit Zum.Androm.1
ESET-NOD32 a variant of Win32/Injector.EQKK
APEX Malicious
Paloalto generic.ml
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.NSISX.Spy.Gen.2
Emsisoft Trojan.NSISX.Spy.Gen.2 (B)
McAfee-GW-Edition BehavesLike.Win32.Puper.dc
Sophos Generic ML PUA (PUA)
Ikarus Trojan.NSIS.Agent
Microsoft Trojan:Win32/Azorult!ml
ZoneAlarm HEUR:Trojan.Win32.Zapchast.gen
GData Zum.Androm.1
Cynet Malicious (score: 100)
MAX malware (ai score=83)
SentinelOne Static AI - Malicious PE
Fortinet W32/Injector.EQKA!tr
Cybereason malicious.e21181
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1336
thread_handle: 0x0000021c
process_identifier: 2512
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\maxi.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\maxi.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\maxi.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000220
1 1 0

NtGetContextThread

 thread_handle: 0x0000021c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2512
region_size: 192512
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000220
1 0 0

NtSetContextThread

 registers.eip: 2002059716
registers.esp: 1638384
registers.edi: 0
registers.eax: 4321456
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000021c
process_identifier: 2512
1 0 0